Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 60 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- Penalties and/or civil relief may apply

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Delaware residents affected by a breach of security must be notified of the breach within 60 days, unless it is determined after appropriate investigation that harm to the individual(s) is unlikely.
  • A breach of security involving computerized personal information affecting over 500 residents must be reported to the Attorney General no later than time of consumer notifications.
  • If a breach of security includes Social Security numbers, credit monitoring services must be provided by the breached Organization for a period of 1 year at no cost to affected consumers.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Vendors must notify Organizations immediately after determination of a breach or suspected breach.
  • Vendors must cooperate with Organizations by providing necessary information about a breach incident.
  • Organizations will be responsible to complete any required regulatory reporting and consumer notification.
  • Organizations must implement and maintain reasonable procedures and practices to protect personal information collected and maintained.
  • Organizations and Vendors conducting business in Delaware must have in place measures to destroy or arrange for destruction of consumer’s personal identifying records so that the records are made unreadable or indecipherable.
  • The Attorney General may bring an action to address violations relating to security breach and may seek relief appropriate to ensure compliance or recover monetary damages, or both.
  • Civil actions may be brought for violations relating to data disposal laws.
  • Posting of a Privacy Policy containing specific information is required of any operator of a commercial internet website, online or cloud computing service, application or mobile application that collects personal information of Delaware residents.
  • Education-sector vendors must be contracted and abide by contractual requirements for the protection of educational records.
  • Delaware’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until July 31, 2021 to comply with the vendors management requirements.
  • Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.
Statutes and Laws
  • Del. Code Title 6 §§ 12B-100-12B-104 Computer Security Breaches
  • Del. Code Title 6 §§ 1201C-1206C Delware Online Privacy and Protection Act
  • Del. Code Title 6 §§ 5001C-5004C Safe Destruction of Records Containing Personal Identifying Information
  • Del. Code Title 19 §§ 730-736 Right to Inspect Personnel Files / Safe destruction of records containing personal identifying information
  • Del. Code Title 14 § 4111 Disclosure of pupils’ school records
  • Del. Code Title 14 §§ 8101A- 8106A Student Data Privacy Protection Act
  • Del. Code Title 18 §§ 8601-8611 Insurance Data Security Act
BAck to map