The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Delaware
Data Breach Notification Statute
Highlights
Covered Entities: Any person who conducts business in this State and owns, licenses, or maintains personal information.
Consumer Notification: Notification is required to any resident “whose personal information was breached or is reasonably believed to have been breached.”
Regulatory Notification: Notification is required to the Delaware Attorney General at the time when notice is provided to the residents if the affected number of Delaware residents exceeds 500 residents.
Notification Timeline: Notice must be made without unreasonable delay but not later than 60 days after determination of the breach of security, unless a shorter time is required under federal law.
Data Format: Electronic.
Citations: Del. Code Title 6, §§ 12B-100, et seq.
More Details
Definitions:
- Breach: The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.
- Personal Information (PI):
- A Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual:
- Social Security number;
- Driver’s license number or state or federal identification card number.
- Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
- Passport number.
- A username or email address, in combination with a password or security question and answer that would permit access to an online account.
- Medical history, medical treatment by a health-care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile.
- Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.
- Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
- An individual taxpayer identification number.
- A Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual:
- Medical Information:
- Medical history, medical treatment by a health-care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile.
- Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
- Health Insurance Information: Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.
Safe Harbors:
- Encryption: The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information is not a breach of security to the extent that personal information contained therein is encrypted, unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render that personal information readable or useable.
- Good Faith: Good faith acquisition of personal information by an employee or agent of any person for the purposes of such person is not a breach of security, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not required if, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached.
- Law Enforcement Delay: Notice may be delayed if a law-enforcement agency determines that the notice will impede a criminal investigation and such law-enforcement agency has made a request of the person that the notice be delayed. Any such delayed notice must be made after such law-enforcement agency determines that notice will not compromise the criminal investigation and so notifies the person of such determination.
Direct Notice:
- Timing: Notice must be made without unreasonable delay but not later than 60 days after determination of the breach of security, unless a shorter time is required under federal law.
- Format: N/A
- Content: If the breach of security includes a Social Security number, the person shall offer to each resident, whose personal information, including Social Security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of 1 year. Such person shall provide all information necessary for such resident to enroll in such services and shall include information on how such resident can place a credit freeze on such resident’s credit file.
- Method: Notice may be a) written; b) telephonic; or c) electronic notice, if the notice provided is consistent ESIGN or if the person’s primary means of communication with the resident is by electronic means.
In the case of a breach of security involving login credentials of an email account furnished by the person, the person may instead comply by providing notice by another method or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the person knows the resident customarily accesses the account.
Substitute Notice:
If the person required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000, or that the affected number of Delaware residents to be notified exceeds 100,000 residents, or that the person does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
- Electronic notice if the person has email addresses for the members of the affected class of Delaware residents.
- Conspicuous posting of the notice on a website page of the person if the person maintains 1 or more website pages.
- Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.
Remediation Services:
If the breach of security includes a Social Security number, the person shall offer to each resident, whose personal information, including Social Security number, was breached or is reasonably believed to have been breached, credit monitoring services at no cost to such resident for a period of 1 year.
Regulatory Notice:
Notification is required to the Delaware Attorney General at the time when notice is provided to the residents if the affected number of Delaware residents exceeds 500 residents.
Credit Reporting Agencies Notice:
N/A
Third-Party Notice:
A person that maintains computerized data that includes personal information that the person does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of security immediately following determination of the breach of security.
HIPAA:
A person that is regulated by state or federal law, including the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, as amended) and the Gramm Leach Bliley Act (15 U.S.C. § 6801 et seq., as amended) and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the person notifies affected Delaware residents in accordance with the maintained procedures when a breach of security occurs.
Private Action:
N/A
Associated Regulations:
N/A
Comprehensive Data Privacy Law
Delaware Personal Data Privacy Act (DPDPA)
Del. Code Ann. Title 6, §§ 12D-101-111.
Highlights
Applicability:
Applies to persons that conduct business in Delaware or persons that produce products or services that are targeted to Delaware residents and that during the preceding calendar year did any of the following:
- Controlled or processed the Personal Data of not less than 35,000 Consumers, excluding Personal Data controlled or processed solely for the purpose of completing a payment transaction;
- Controlled or processed the Personal Data of not less than 10,000 Consumers and derived more than 20% of their gross revenue from the Sale of Personal Data.
Among other exclusions, the DPDPA excludes state and local government and judicial entities; certain nonprofit organizations, employment-related data, and data or entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Family Educational Rights and Privacy Act (FERPA), and Fair Credit Reporting Act (FCRA).
Controller and Processor Obligations:
- Limit the collection of Personal Data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the Consumer.
- Not process Personal Data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such Personal Data is processed, as disclosed to the Consumer, unless the Controller obtains the Consumer’s consent.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Personal Data appropriate to the volume and nature of the Personal Data at issue.
- Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian.
- Not process Personal Data in violation of the laws of Delaware and federal laws that prohibit unlawful discrimination.
- Provide an effective mechanism for a Consumer to revoke the Consumer’s consent that is at least as easy as the mechanism by which the Consumer provided the Consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request.
- Not process the Personal Data of a Consumer for purposes of targeted advertising or sell the Consumer’s Personal Data without the Consumer’s consent, under circumstances where a Controller has actual knowledge or willfully disregards that the Consumer is at least 13 years of age but younger than 18 years of age.
- Not discriminate against a Consumer for exercising any of the Consumer rights contained in the DPDPA, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.
- Provide Consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following: (1) the categories of Personal Data processed by the Controller; (2) the purpose for processing Personal Data; (3) how Consumers may exercise their Consumer rights, including how a Consumer may appeal a Controller’s decision with regard to the Consumer’s request; (4) the categories of Personal Data that the Controller shares with third parties, if any; (5) the categories of third parties with which the Controller shares Personal Data, if any; (6) an active electronic mail address or other online mechanism that the Consumer may use to contact the Controller; and (7) if applicable, disclosure as to whether the Controller sells Personal Data to third parties or processes Personal Data for targeted advertising and the manner in which a consumer may exercise the right to opt out of such processing.
- Execute a binding contract with Processors that include required provisions, including processing instructions, duration of processing and requirement to return/destroy all Personal Data, subcontractor provisions, and the right of the Controller to audit the Processor.
- Processors shall adhere to the instructions of a controller and assist the controller in meeting the controller’s obligations, including: (1) taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller’s obligation to respond to consumer rights requests; and (2) taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor, in order to meet the controller’s obligations; and (3) Providing necessary information to enable the controller to conduct and document data protection assessments.
- For Controllers that control or process the data of not less than 100,000 Consumers, conduct data protection assessments, on a regular basis, for processing activities that present a heightened risk of harm to a consumer, including: (1) the processing of Personal Data for the purposes of targeted advertising; (2) the Sale of Personal Data; (3) the processing of Sensitive Data; and (4) Profiling that presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, Consumers;
- financial, physical, or reputational injury to Consumers;
- a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or
- other substantial injury to Consumers.
- Respond in a timely manner to Consumer requests to exercise rights under the DPDPA, including appeals by Consumers.
Consumer Rights:
Businesses must respond without undue delay but not later than 45 days after receipt of the request, including Consumers’:
- Right to access Personal Data;
- Right to correct inaccuracies;
- Right to delete Personal Data;
- Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable;
- Right to obtain a list of the specific third parties to which the Controller has disclosed the Consumer’s Personal Data;
- Right to opt out of targeted advertising, the Sale of Personal Data, and Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the Consumer.
If a controller declines to take action regarding the consumer’s request, the controller shall inform the consumer of the justification for declining to take action and instructions for how to appeal the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Department of Justice to submit a complaint.
More Details
Definitions:
- Consumer: An individual who is a resident of Delaware. “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.
- Controller: A person that, alone or jointly with others, determines the purposes and means for processing Personal Data.
- Personal Data: Any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.
- Profiling: Any form of automated processing performed on Personal Data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of Personal Data: The exchange of personal data for monetary or other valuable consideration by the Controller to a third party. “Sale of Personal Data” does not include any of the following: (a) the disclosure of Personal Data to a processor that processes the Personal Data on behalf of the Controller where limited to the purpose of such processing; (b) the disclosure of Personal Data to a third party for purposes of providing a product or service affirmatively requested by the consumer; (c) the disclosure or transfer of Personal Data to an affiliate of the Controller; (d) the disclosure of Personal Data where the Consumer directs the Controller to disclose the Personal Data or intentionally uses the Controller to interact with a third party; (e) the disclosure of Personal Data that the Consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience; or (f) the disclosure or transfer of Personal Data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the Controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the Controller’s assets.
- Sensitive Personal Data: Personal Data that includes any of the following: (a) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status; (b) genetic or biometric data; (c) Personal Data of a known child; (d) precise geolocation data.
Penalties:
Violations of the DPDPA constitute an unlawful practice under § 2513 of Chapter 25 of Title 6 and a violation of Subchapter II of Chapter 25 of Title 6 and may be enforced by the state Department of Justice. The maximum civil penalty for violations is $10,000 for each violation.
Private Action:
No
Associated Regulations:
N/A
Effective Date:
January 1, 2025
Insurance Data Security Statute
Highlights
Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Delaware, not including a purchasing group or a risk retention group chartered and licensed in a state other than Delaware or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee shall develop, implement, and maintain a comprehensive, written information security program that is based on the licensee’s risk assessment and contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system. The program must be commensurate with the size and complexity of a licensee; the nature and scope of a licensee’s activities, including the licensee’s use of a third-party service provider; and the sensitivity of the nonpublic information that the licensee uses or has in the licensee’s possession, custody, or control.
Consumer Notification: A licensee must provide notice to consumers without unreasonable delay but no later than 60 days after determining that a cybersecurity event occurred, unless federal law requires a shorter time period or a law-enforcement agency determines that the notice will impede a criminal investigation and the law-enforcement agency has requested that the licensee delay notice, pursuant to 18 Del.C. § 8606(c).
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: 18 Del.C. §§ 8601 to 8611
More Details
Definitions:
- Consumer: An individual, including an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of Delaware and whose nonpublic information is in a licensee’s possession, custody, or control.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information or an event where the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Delaware, not including a purchasing group or a risk retention group chartered and licensed in a state other than Delaware or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
- Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Financial account number or credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records.
- Any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
- The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
- Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
Regulatory Notice:
A licensee shall notify the Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- Delaware is the state of domicile of the licensee, in the case of an insurer, or the home state of the licensee, in the case of a producer, as those terms are defined in 18 Del.C. § 1702, and either the cybersecurity event has a reasonable likelihood of materially harming a consumer residing Delaware or any material part of licensee’s operations or the licensee is required to provide notice of the cybersecurity event to a government body, self-regulatory agency, or other supervisory body under state or federal law.
- The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Delaware and the cybersecurity event is either:
- A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law; or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Delaware or a material part of licensee’s operations.
Content Requirements:
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible and shall have a continuing obligation to update and supplement initial and subsequent notifications to the Commissioner regarding material changes to previously-provided information relating to a cybersecurity event:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
- A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event.
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- A copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance unless the third-party service provider provides the notice.
Penalties:
An insurance producer violating this chapter may be penalized in accordance with 18 Del.C. § 329.
Associated Regulations:
N/A