DOVER, Del.–Delaware has enacted legislation that requires organizations to provide residents one year of free credit monitoring services if their sensitive personal information is compromised in a data breach. Delaware follows Connecticut in passing such a law.
That was the case in Delaware earlier this month, when Gov. John Carney (D) signed legislation making it the second state - the first was Connecticut - to require organizations to provide residents one year of free credit monitoring services if their sensitive personal information is compromised in a data breach.
"It makes sense to offer additional protections for Delawareans who may have their information compromised in a cybersecurity breach," said Carney, who signed the law at the University of Delaware, which offers a master's program in cybersecurity and a program to train small businesses to identify cybersecurity threats.
The measure makes Delaware the 14th state to require companies conducting business within their borders to implement and maintain reasonable security measures to safeguard personal information.
Under the new law, companies conducting business in Delaware are required to notify breach victims within 60 days of determining a breach has occurred. Notification can be delayed if law enforcement officials determine such notice would interfere in a criminal investigation. Entities also must notify the state attorney general if the number of breach victims exceeds 500 state residents.
The law does not consider a breach to have occurred if encrypted data is exposed, unless it is “reasonably believed” hackers also have the encryption key.
The new law goes into effect April 14, 2018.