SPONSOR:

Rep. Gilligan & Rep. Stone & Sen. Sokola ;

 

Reps. Booth, Buckworth, Ennis, Ewing, Fallon, George, Hall-Long, Hocker, Johnson, Keeley, Longhurst, McWilliams, Mulrooney, Plant, Roy, Schooley, Schwartzkopf, Ulbrich, VanSant, Viola, Williams; Sens. Bunting, Connor, Cook, Henry

 

HOUSE OF REPRESENTATIVES

 

143rd GENERAL ASSEMBLY

 

HOUSE BILL NO. 116

 

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.


BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:

 

Section 1.  Amend Title 6 of the Delaware Code by adding thereto a new chapter to read: 

"CHAPTER 12B.  COMPUTER SECURITY BREACHES

§12B-101.  Definitions.

For purposes of this chapter: 

(1)     'breach of the security of the system' means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity.  Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used for or is not subject to further unauthorized disclosure;

(2)     'personal information' means a Delaware resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:

(i)    Social Security number;

(ii)   driver's license number or Delaware Identification Card number;

(iii)  account number, or credit or debit card number, alone or in combination with any required security code, access code, or password that would permit access to a resident's financial account; or

(iv)  individually identifiable information, in electronic or physical form, regarding the Delaware resident's medical history or medical treatment or diagnosis by a health care professional.

The term 'personal information' does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records;

(3)     'notice' means:

(i)    written notice;

(ii)   electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in §7001 of Title 15 of the United States Code; or

(iii)  substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed $250,000, or that the affected class of Delaware residents to be notified exceeds 500,000 residents, or that the individual or the commercial entity does not have sufficient contact information to provide notice.  Substitute notice consists of all of the following:

a.       e-mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of Delaware residents; and

b.       conspicuous posting of the notice on the Web site page of the individual or the commercial entity if the individual or the commercial entity maintains one; and

c.       notification to major statewide media.

§12B-102.  Disclosure of breach of security of computerized personal information by an individual or a commercial entity.

(a)     An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information shall give notice to a resident of Delaware of any breach of the security of the system immediately following the discovery of a breach in the security of personal information of the Delaware resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Notification must be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in section (c) of this section and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

(b)     An individual or a commercial entity that maintains computerized data that includes personal information that the individual or the commercial entity does not own or license shall give notice to the owner or licensee of the information of any breach of the security of the data immediately following discovery of a breach, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c)     Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation.  Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

(d)     An individual or a commercial entity that is required to give notice of a breach in the security of personal information pursuant to this chapter shall also promptly provide written notification of the nature and circumstances of the breach to the Consumer Protection Division of the Department of Justice.

§12B-103.  Procedures deemed in compliance with notice requirements.

(a)     Notwithstanding definition (3) (notice) of §12B-101 of this chapter, an individual or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of this chapter, is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system.

(b)     If an individual or a commercial entity that is regulated by State or federal law provides greater protection to personal information than that provided by this chapter in regard to the subjects addressed by this chapter, compliance with that State or federal law is deemed compliance with this chapter with regard to those subjects.  This section does not relieve an individual or a commercial entity from a duty to comply with other requirements of State and federal law regarding the protection and privacy of personal information.

§12B-104.  Private right of action.

(a)     Any Delaware resident damaged by a violation of this chapter may bring an action for recovery of damages.  If damages are awarded to the Delaware resident, the damages shall be triple the amount of the actual damages proved plus reasonable attorney fees.

(b)     Nothing in this chapter may be construed so as to nullify or impair any right which a Delaware resident may have at common law, by statute, or otherwise.

§12B-105.  Violations.

In addition to the remedy provided in §12B-104 of this chapter, the Attorney General may bring an action in law or equity to address violations of this chapter and for other relief that may be appropriate.  The provisions of this chapter are not exclusive and do not relieve an individual or a commercial entity subject to this chapter from compliance with all other applicable provisions of law.

§12B-106.  Enforcement.

A violation of this chapter is within the scope of the enforcement duties and powers of the Consumer Protection Division of the Department of Justice, as described in 29 Del. C. §2517.".

SYNOPSIS

This bill will help ensure that personal information about Delaware residents is protected by encouraging data brokers to provide reasonable security for personal information.

 

This bill borrows from a similar California statute which requires companies to notify residents in the event of a security breach involving personal financial data.  California is the only state so far with such a law.  Pennsylvania is considering a computer security breach law.

 

This bill requires an individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that includes personal information to notify a resident of Delaware of any breach of the security of the system immediately following the discovery of a breach in the security of personal information of the Delaware resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  Notification must be made in good faith, in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

 

Alternative notification procedures are provided in §12B-103.  In a civil action to recover damages (for example, losses due to identity theft), the award is triple the amount of actual damages plus reasonable attorney fees.

 

A violation of this Act falls under the enforcement duties and powers of the Consumer Protection Division of the Department of Justice, which may bring an action in law or equity to address violations of the Act and other appropriate relief.  The provisions of this Act do not nullify or impair any common law or statutory right that a person may have in regard to violations under the Act.