Can I avoid having a data breach response plan in Delaware? What are the requirements?

Data Breach Response Plan Requirements in Delaware

Delaware law requires businesses to have a data breach response plan in place ^[1.1]. The plan should be part of an information security policy for the treatment of personal information and should be consistent with the timing requirements of the law. If a business maintains its own notice procedures and notifies affected Delaware residents in accordance with its policies in the event of a breach of security, it is deemed to be in compliance with the notice requirements of the law ^[1.1].

Additionally, if a business is regulated by state or federal law, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm Leach Bliley Act (GLBA), and maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator, it is deemed to be in compliance with the law if it notifies affected Delaware residents in accordance with the maintained procedures when a breach of security occurs ^[1.1].

Therefore, businesses cannot avoid having a data breach response plan in Delaware. It is a legal requirement to have one in place.

What are the requirements for a data breach response plan in Delaware?

Delaware law requires businesses to have a data breach response plan in place ^[1.1]. The plan should be part of an information security policy for the treatment of personal information and should be consistent with the timing requirements of the law. The plan should include the following:

• The procedures that the business will follow in the event of a breach of security ^[1.1].
• The process for identifying and assessing the scope of the breach ^[1.1].
• The process for notifying affected Delaware residents ^[1.1].
• The process for notifying the Delaware Attorney General if the affected number of Delaware residents to be notified exceeds 500 residents ^[1.2].
• The process for offering credit monitoring services at no cost to affected Delaware residents whose personal information, including Social Security number, was breached or is reasonably believed to have been breached ^[1.2].
• The process for providing all information necessary for affected Delaware residents to enroll in such services and including information on how such residents can place a credit freeze on their credit file ^[1.2].

Businesses should also ensure that their data breach response plan is consistent with the maintained procedures when a breach of security occurs if they are regulated by state or federal law ^[1.1].

Therefore, businesses must have a comprehensive data breach response plan in place that includes the above requirements to comply with Delaware law.

Source(s):

• [1.1] Procedures deemed in compliance with security breach notice requirements.
• [1.2] Disclosure of breach of security; notice.

Jurisdiction

Delaware

• Privacy