New Requirements for Computer Security Breaches in Delaware
December 5, 2017
Publication| Real Estate Services
On August 17, 2017, Governor John Carney signed HB 180 (as substituted and amended), which significantly changes current Delaware law regarding landlords’ requirements for notifying Delaware residents affected by a security breach of the landlords’ electronic database of their tenants’ personal information. It is crucial that landlords become familiar with these new requirements, which will take effect in April 2018.
While the magnitude of the changes is too great to address fully in this alert, we highlight the following major changes. First, the new law adds an affirmative duty for a business to maintain reasonable procedures and practices to prevent breaches of personal information. Second, the law adds a number of new items to the definition of personal information, such as user names and email addresses that, in combination with a password or security question and answer, would permit access to an online account. Third, there is now a qualified safe harbor for encrypted information, but with a number of provisos on how the encrypted information must be handled and maintained. Fourth, the Act simplifies compliance while giving the law more teeth. The new law eliminates various subjective standards on the scope of investigating when and if notice is required, and gives guidance on appropriate timing of notice to affected persons. It does so with a general rule requiring notice to potentially affected persons, but allowing the business to investigate and determine when and if notice is required in a specific instance. Fifth, the Office of the Attorney General must be notified if more than 500 Delaware residents are affected by the breach. Finally, the law requires offering one year of credit-monitoring service to any resident whose social security number was breached.
Landlords and other businesses that hold the personal information of Delaware residents should become familiar with these legislative changes. Most importantly, they should adopt procedures and practices to prevent breaches and to comply with the various requirements when a breach occurs. As the experts tell us, it is not a matter of if, but of when, a business will suffer a data breach.