Delaware Toughens Data Breach Notification LawWill Other States Follow and Adopt Similar Measures?
Say the phrase "cybersecurity regulation" in the Republican-run Congress, and watch lawmakers flee in all directions. The word "voluntarily" is very popular on Capitol Hill, as in allowing businesses to "voluntarily" adopt - and not mandate - the implementation of the National Institute of Standards and Technology cybersecurity framework.
But not so in some states, especially those with Democratic governors and legislatures. Lawmakers in those states aren't afraid to place some requirements on businesses to ensure the security and privacy of consumers' data.
That was the case in Delaware earlier this month, when Gov. John Carney signed legislation making it the second state - the first was Connecticut - to require organizations to provide residents one year of free credit monitoring services if their sensitive personal information is compromised in a data breach.
"It makes sense to offer additional protections for Delawareans who may have their information compromised in a cybersecurity breach," the Democratic governor said at a recent signing ceremony at the University of Delaware, which offers a master's program in cybersecurity and a program to train small businesses to identify cybersecurity threats.
Follow the Leaders?
Some experts see other states following Delaware and Connecticut in hardening their cybersecurity laws to place some requirements on businesses to protect consumer data.
"It is an important and necessary tool to help safeguard consumers and patients," says Ebba Blitz, CEO at endpoint encryption provider AlertSec. "Lawmakers are enacting change intending to help, not hurt. Everyone needs to be aware and proactive to ensure our personal and private data is protected."
The measure makes Delaware the 14th state to require companies conducting business within their borders to implement and maintain reasonable security measures to safeguard personal information.
The new Delaware law requires companies conducting business in the state to notify breach victims within 60 days of determining a breach has occurred. Notification can be delayed if law enforcement officials determine such notice would interfere in a criminal investigation. Entities also must notify the state attorney general if the number of breach victims exceeds 500 state residents.
The new law - which takes effect on April 14 and revises a 10-year-old statute - does not consider an incident a breach if encrypted data is exposed unless it's "reasonably believed" hackers commandeered the encryption key and the information owner believes the encryption key could render personal information readable or useable.
The act defines personal information to include Social Security, driver's license, passport and health insurance policy numbers; email address in combination with password or security question and answer; medical history and treatment, including diagnosis of mental or physical condition or DNA profile; and unique biometric data generated from measurements of human body characteristics for authentication purposes.
The bill's sponsor, state Rep. Paul Baumbach, D-Newark, says lawmakers worked with a variety of stakeholders to refine the legislation. "This is a meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyberattack," he says.