I do not recall having had a guest post, or writing a post with someone else's content. Until now.
The following article is reprinted with permission from an EMail sent on Friday, November 17, 2017 regarding "Consumer Protection" via the American Bar Association. I have checked out the new statutes so far as I am able to do so on Westlaw (they do not take effect until April 14, 2018).
So, without further ado, here with his permission is the excellent article written by American University law student David Alexander McGee and circulated via the American Bar Association on November 17, 2017:
| |
|
Delaware Amends its Breach of Security Laws in Reaction to the Equifax Breach
Delaware Amends Title 6 of the Delaware Code Relating to breaches of security including personal information. Signed 8/7/17 and Effective 4/14/18.
Recently, Delaware amended Title 6 of the Delaware Code that updates how companies that collect and retain personal information of Delaware residents must secure that information and handle breaches. The Delaware General Assembly passed this amendment in relation to the Equifax Security Breach. The most significant changes include:
- Expands the definition of "personal information" to also include state or federal identification cards, credit card number, passport number, a username or email address in combination with a password or security question and answer, medical history, health insurance policy number, unique biometric data, and an individual taxpayer identification number. Prior to the amendments, only driver's license number, social security number, account number, and a debit card number in combination with the security code were considered as "personal information".
- Requiring that any person conducting business with Delaware residents' personal information must implement and maintain reasonable procedures and practices to prevent unauthorized acquisition of the personal information.
- There is an additional definition added to what constitutes a "breach of security" which defines "breach of security" as an unauthorized acquisition of encrypted data if the person acquiring the data believes that the encryption key will be included in the data breach of reasonable belief it will be included.
- When there is a breach of security and personal information is obtained, any "person" (statutory definition which includes corporations, business trust, estate trust, partnership, etc.) who conducts business in Delaware must notify any resident of Delaware whose data was breached no later than 60 days after the breach, unless the breach would result in no harm being done to the resident.
- If the number of residents affected is over 500, the "person" (statutory definition) is required to give notice shall also provide notice to the Attorney General.
- If a breach includes residents' Social Security number, then the person much give identity theft prevention services for 1 year and if applicable identity theft mitigation services at no cost.
The link to view the full bill is: legis.delaware.gov/BillDetail?LegislationId=26009.
------------------------------
David McGee
American University Washington College of Law Class of 2019
Junior Staffer, Journal of Gender, Social Policy & the Law
Washington DC
------------------------------
|
|
Comments