QUICK FACTS

  • If the breach of security includes a Social Security number, credit monitoring services must be offered for a period of 1 year at no cost to the affected consumer.
  • If the affected number of Delaware residents to be notified exceeds 500 residents, notice of the breach of security must also be provided to the Attorney General.
  • The Attorney General may bring an action in law or equity to address the violations relating to security breach and for other relief that may be appropriate to ensure compliance or recover monetary damages, or both.
  • Civil actions may be brought for violations relating to data disposal laws.
  • If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.

STATUTES AND LAWS

  • Delaware Online Privacy and Protection Act: This law requires operators of websites or online services that collect personal information from Delaware residents to post a privacy policy that discloses the types of information collected and how it will be used. It also requires operators to obtain verifiable parental consent before collecting personal information from children under 13.
  • Delaware Data Security Breach Notification Law: This law requires businesses and government entities to notify affected individuals in the event of a data breach that involves personal information.
  • Delaware Financial Privacy Notice Act: This law requires financial institutions to provide privacy notices to customers and to obtain their consent before sharing certain types of personal information with third parties.
  • Delaware Insurance Information and Privacy Protection Act: This law requires insurance companies to protect the privacy of their customers’ personal information and to provide notice to customers in the event of a data breach.
  • Delaware Consumer Fraud Act: This law prohibits unfair or deceptive practices in the collection, use, and disclosure of personal information.