360 Degree Cyber Security, LLC

Tag Archive:netDE

Delaware’s Updated Privacy Law

August 23, 2017 – BLUF: We highly recommend that you contact an information security professional regarding this legislation.  If not us, find someone who can help you determine if you are doing what needs to be done to stay within the guidelines of this legislation.

On 17 August, 2017, Governor Carney signed legislation that improved cybersecurity protections for the citizens of Delaware and goes into effect in April. It improved on the original cybersecurity legislation written nearly a decade ago. House Substitute 1 for House Bill 180 (http://legis.delaware.gov/BillDetail?legislationId=26009) provides for additional protection requirements where personal information may be compromised as the result of a breach. In the event of a breach of personal information, the legislation requires notifications and free credit monitoring services whose social security information was potentially disclosed via the breach.

The updated legislation now includes a definition that is used to determine if a breach of security has occurred. A breach has occurred when “a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.” Reporting of a breach is left to the holder of the data to have the integrity to come forward and announce that they have had a breach. The key word in the legislation is determination. It has to be determined that breach occurred before any reporting is required. Who determines? Who makes the call? At any rate, the organization has 60 days to make notifications (as long as it does not ruin a police investigation) from the date of determination.

The legislation also introduces encryption to the lexicon. It states that it is required but it don’t provide minimum-level of encryption. The only statement is that it is “rendered unusable, unreadable, indecipherable through a security technology or methodology generally accepted in the field of information security. This is a problem, depending on the source that you query for, the organization could end up with an encryption standard that is reversible. Some developers, roll their own crypto algorithms that are found to contain faults.

The legislation states that organizations must protect by encryption personal information, which is defined as a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual

  • Social Security Number
  • Driver’s license, state, or federal identification card
  • Account number, credit card number or debit card number in combination with any security code, access code or password that would permit access to a resident’s financial account
  • Passport number ***added***
  • Username or email address in combination with a password or security question and answer that would permit access to an online account ***added***
  • Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional or deoxyribonnucleic acid (DNA) profile. ***added***
  • Health insurance policy number, subscriber information number, or any other unique identifier used by a health insurer to identify the person. ***added***
  • Unique biometric data generate from measurements or analysis of human body characteristics for authentication purposes. ***added***
  • An individual taxpayer identification ***added***

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.