Delaware has modified its data breach notification law in an amendment set to take effect in April 2018. Signed on August 17, 2017, the amendment is the first significant change to Delaware’s data breach notification law since its original enactment in 2005. The amended law requires companies to notify affected Delaware residents of a breach involving their personal information within 60 days (replacing the current requirement of notification “as soon as possible”) after determination of a breach and adds a requirement to notify Delaware’s attorney general of any breach affecting more than 500 residents. Additionally, companies will now have to provide a year of free credit monitoring services for any resident whose Social Security number was breached. Other changes to the law include broadening its definition of personal information and narrowing its safe harbor for encrypted data.
