360 Degree Cyber Security, LLC

Delaware’s Updated Privacy Law

Delaware’s Updated Privacy Law

BLUF: We highly recommend that you contact an information security professional regarding this legislation.  If not us, find someone who can help you determine if you are doing what needs to be done to stay within the guidelines of this legislation.

On 17 August, 2017, Governor Carney signed legislation that improved cybersecurity protections for the citizens of Delaware and goes into effect in April. It improved on the original cybersecurity legislation written nearly a decade ago. House Substitute 1 for House Bill 180 (http://legis.delaware.gov/BillDetail?legislationId=26009) provides for additional protection requirements where personal information may be compromised as the result of a breach. In the event of a breach of personal information, the legislation requires notifications and free credit monitoring services whose social security information was potentially disclosed via the breach.

The updated legislation now includes a definition that is used to determine if a breach of security has occurred. A breach has occurred when “a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.” Reporting of a breach is left to the holder of the data to have the integrity to come forward and announce that they have had a breach. The key word in the legislation is determination. It has to be determined that breach occurred before any reporting is required. Who determines? Who makes the call? At any rate, the organization has 60 days to make notifications (as long as it does not ruin a police investigation) from the date of determination.

The legislation also introduces encryption to the lexicon. It states that it is required but it don’t provide minimum-level of encryption. The only statement is that it is “rendered unusable, unreadable, indecipherable through a security technology or methodology generally accepted in the field of information security. This is a problem, depending on the source that you query for, the organization could end up with an encryption standard that is reversible. Some developers, roll their own crypto algorithms that are found to contain faults.

The legislation states that organizations must protect by encryption personal information, which is defined as a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual

  • Social Security Number
  • Driver’s license, state, or federal identification card
  • Account number, credit card number or debit card number in combination with any security code, access code or password that would permit access to a resident’s financial account
  • Passport number ***added***
  • Username or email address in combination with a password or security question and answer that would permit access to an online account ***added***
  • Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional or deoxyribonnucleic acid (DNA) profile. ***added***
  • Health insurance policy number, subscriber information number, or any other unique identifier used by a health insurer to identify the person. ***added***
  • Unique biometric data generate from measurements or analysis of human body characteristics for authentication purposes. ***added***
  • An individual taxpayer identification ***added***

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.


About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Comments Are Closed!!!