Keeping up with the trend of state governments taking a proactive approach to cybersecurity, on August 17, 2017, Governor John Carney of Delaware signed into law a bill creating more stringent notification requirements on companies doing business in Delaware in the event of a data breach.
Under the bill, which goes into effect on April 14, 2018, companies are required to notify Delaware residents affected by a data breach within 60 days. Companies are further required to inform the state attorney general in the event that a data breach affects more than 500 residents. Prior to the enactment of the bill, companies were only required to notify state residents “as soon as possible” after discovering a possible breach, and were not required to notify the attorney general.
In addition to the reporting requirements, companies must also provide a year of free credit monitoring to residents whose Social Security numbers have been compromised. The bill further expands the types of protected information to include medical information, user names and passwords, and taxpayer identification numbers, among other data points.
Although there has largely been support for the bill, there has also been significant criticism due to the perceived burden that could be placed on small businesses. Such concerns even led the Delaware State Chamber of Commerce to rescind their support. Detractors argue that the level of liability small businesses are exposed to under the bill is substantial enough to put them out of business in the event of a data breach, as opposed to larger businesses who could withstand the financial impact.
Whether or not such concerns are valid, the bill is scheduled to take effect on April 14, 2018 and companies large and small must prepare accordingly.