Chapter 12b. Computer Security Breaches

TITLE 6

Commerce and Trade

SUBTITLE II

Other Laws Relating to Commerce and Trade

CHAPTER 12B. COMPUTER SECURITY BREACHES

§ 12B-101. Definitions.

For purposes of this chapter:

(1) "Breach of the security of the system" means the unauthorized acquisition of unencrypted computerized data that compromises
the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good
faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes
of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information
is not used or subject to further unauthorized disclosure;

(2) "Commercial entity" includes corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited
liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental
subdivisions, agencies, or instrumentalities, or any other legal entity, whether for profit or not-for-profit;

(3) "Notice" means:

a. Written notice;

b. Telephonic notice;

c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures
set forth in § 7001 of Title 15 of the United States Code; or

d. Substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of
providing notice will exceed $75,000, or that the affected class of Delaware residents to be notified exceeds 100,000 residents,
or that the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute
notice consists of all of the following:

1. E-mail notice if the individual or the commercial entity has e-mail addresses for the members of the affected class of
Delaware residents; and

2. Conspicuous posting of the notice on the web site page of the individual or the commercial entity if the individual or
the commercial entity maintains one; and

3. Notice to major statewide media.

(4) "Personal information" means a Delaware resident's first name or first initial and last name in combination with any 1
or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted:

a. Social Security number;

b. Driver's license number or Delaware Identification Card number; or

c. Account number, or credit or debit card number, in combination with any required security code, access code, or password
that would permit access to a resident's financial account.

The term "personal information" does not include publicly available information that is lawfully made available to the general
public from federal, state, or local government records;

75 Del. Laws, c. 61, § 1.;

§ 12B-102. Disclosure of breach of security of computerized personal information by an individual or a commercial entity.

(a) An individual or a commercial entity that conducts business in Delaware and that owns or licenses computerized data that
includes personal information about a resident of Delaware shall, when it becomes aware of a breach of the security of the
system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information
has been or will be misused. If the investigation determines that the misuse of information about a Delaware resident has
occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to
the affected Delaware resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent
with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach
and to restore the reasonable integrity of the computerized data system.

(b) An individual or a commercial entity that maintains computerized data that includes personal information that the individual
or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information
of any breach of the security of the system immediately following discovery of a breach, if misuse of personal information
about a Delaware resident occurred or is reasonably likely to occur. Cooperation includes sharing with the owner or licensee
information relevant to the breach.

(c) Notice required by this chapter may be delayed if a law enforcement agency determines that the notice will impede a criminal
investigation. Notice required by this chapter must be made in good faith, without unreasonable delay and as soon as possible
after the law enforcement agency determines that notification will no longer impede the investigation.

75 Del. Laws, c. 61, § 1.;

§ 12B-103. Procedures deemed in compliance with security breach requirements.

(a) Under this chapter, an individual or a commercial entity that maintains its own notice procedures as part of an information
security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements
of this chapter is deemed to be in compliance with the notice requirements of this chapter if the individual or the commercial
entity notifies affected Delaware residents in accordance with its policies in the event of a breach of security of the system.

(b) Under this chapter, an individual or a commercial entity that is regulated by state or federal law and that maintains
procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established
by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the individual
or the commercial entity notifies affected Delaware residents in accordance with the maintained procedures when a breach occurs.

75 Del. Laws, c. 61, § 1.;

§ 12B-104. Violations.

Pursuant to the enforcement duties and powers of the Consumer Protection Division of the Department of Justice under Chapter
25 of Title 29, the Attorney General may bring an action in law or equity to address the violations of this chapter and for
other relief that may be appropriate to ensure proper compliance with this chapter or to recover direct economic damages resulting
from a violation, or both. The provisions of this chapter are not exclusive and do not relieve an individual or a commercial
entity subject to this chapter from compliance with all other applicable provisions of law.

75 Del. Laws, c. 61, § 1; 77 Del. Laws, c. 282, § 16.;