Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

DELAWARE DATA PRIVACY REGULATIONS

Did You Know?

 
  • Limited methods of notification delivery
  • Vendors must report to Data Owners and cooperate
  • Data owners are responsible for reporting and notifications
  • DE attorney general may bring an action in law to address violations and recover damages
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply 

Who Me?

 

Delaware breach and notification laws may apply if you are an individual or commercial entity that:

  • Conducts business in DE and owns or licenses computerized data that includes PII about a DE resident;
  • Maintains computerized data that includes PII that you do not own or license.

 There are exceptions.

What is PII?

 

PII relevant to a breach in Delaware includes an individual's name with one or more of the following:  

  • Social Security Number;
  • Driver's license or state ID card number;
  • Account or credit or debit card numbers, with any required security code, etc., that permits access to their financial account.

LAWS

APPLICABLE LAW

A few applicable statutes include, but are not limited to:

BUSINESSES:  Title [13] XIII Commercial Transactions - Ohio Uniform Commercial Code /Chapter 1349: Consumer Protection:  1349.19 Private disclosure of security breach of computerized personal information data, 1349.191, 1349.192.

STATE AGENCIES:  Title [13] XIII Commercial Transactions - Ohio Uniform Commercial Code / Chapter 1347: Personal Information Systems:  1347.01, 1347.12 Agency disclosure of security breach of computerized personal information data, 1347.15.

RELATED LAWS

Related laws in regard to Record retention schedules include, but are not limited to:

  • Central clinical record - Ohio Admin. Code 3701-19-23;
  • Confidentiality - Ohio Rev. Code Ann. § 5123.31;
  • Confidentiality of patient records - Ohio Admin. Code 4729-5-29;
  • Duty of covered entities - Ohio Rev. Code Ann. § 3798.03;
  • General medical records requirements - Ohio Admin. Code 3701-83-11.

PENALTIES

COMPLIANCE PENALTIES

The attorney general can bring civil action including temporary restraining order, preliminary or permanent injunction, and civil penalties as follows:

  • The combination of personal information breached;
  • For each day the business fails to comply: up to $1,000 per day;
  • For each day the business fails to comply over 60 days: $5,000 per day;
  • For each day the business fails to comply over 90 days: $10,000 per day;

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was encrypted or secured;
  • If the data included any kind of key or cipher;
  • If it was acquired by an unauthorized person;
  • If misuse of the information is reasonably possible.

A determination of non-notification must be documented in writing and retained for five years.

TIME LIMITS

Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. The notifications must be made in the most expedient time and manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation. 

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Disclosure may be made by written notice, telephone or electronically (with stipulations). 

A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $75,000, or the persons to be notified exceeds 100,000, or they do not have sufficient contact information. 

Contact the Privacy Experts at CSR