On April 14, 2017, the Title 6 of the Delaware Code relating to breaches of security involving personal information will be modified.
House Substitute 1 for House Bill 180 (“House Bill 180”), also expands the definition of personal information to also include Delaware resident’s first name or first initial and last name in combination with a user name or email address (with information sufficient to gain access to that account), passport number, medical information, health insurance information, biometric data, and taxpayer identification number.
House Bill 180 also requires that notice of a breach “must be made without unreasonable delay but not later than 60 days after determination of the breach of security”.
If the affected number of Delaware residents to be notified exceeds 500 residents, notice must be given to the Delaware Attorney General.
If the breach of security includes a social security number, companies will have to offer reasonable identity theft prevention services and, if applicable, identity theft mitigation services at no cost to the affected Delaware resident for a period of 1 year.
However, generally companies are exempted from these obligations if “after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.”