Mandated Timeframe for Breach Reporting and/or Consumer Notification
Within 60 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- Penalties and/or civil relief may apply
None to minimal
Delaware residents affected by a breach of security must be notified of the breach within 60 days, unless it is determined after appropriate investigation that harm to the individual(s) is unlikely.
A breach of security involving computerized personal information affecting over 500 residents must be reported to the Attorney General within 60 days.
If a breach of security includes individual’s Social Security numbers, businesses must provide credit monitoring services for a period of 1 year at no cost to the affected consumer.
If vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notification.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Businesses must have in place measures to destroy or arrange for destruction of consumer’s personal identifying records so that the records are made unreadable or indecipherable.
The Attorney General may bring an action to address violations relating to security breach and may seek relief appropriate to ensure compliance or recover monetary damages, or both.
Civil actions may be brought for violations relating to data disposal laws.
Employers must respond to employee’s requests for information and permit employees to inspect their own personnel files for purposes of accuracy of the records held by the employer.
Employer refusal of employee access can incur a civil penalty of up to $5,000.
Education-sector vendors must be contracted and abide by contractual requirements for the protection of educational records.
Delaware’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security, Licensees have until July 31, 2020 to comply with the information security requirements, and until July 31, 2021 to comply with the vendor management requirements.
Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.
Statutes and Laws
Del. Code Title 6 §§ 12B-100-12B-104 Computer security breaches
Del. Code Title 6 §§ 1201C-1206C Delaware Online Privacy and Protection Act
Del. Code Title 6 §§ 5001C-5004C Safe Destruction of Records Containing Personal Identifying Information
Del. Code Title 19 §§ 730-736 Right to Inspect Personnel Files / Safe destruction of records containing personal identifying information
Del Code Title 14 § 4111 Disclosure of pupils’ school records
Del. Code Title 14 §§ 8101A- 8106A Student Data Privacy Protection Act
Del. Code Title 18 §§ 8601-8611 Insurance Data Security Act