Delaware issued new Cybersecurity requirements to take effect in April 2018. The amendment that was signed on August 17, 2017, is a change to Delaware’s data breach notification law that was originally enacted in 2005. The amended law requires:
- Companies to notify affected Delaware residents of a breach involving their personal information within 60 days after determination of a breach;
- Now there is a requirement to notify Delaware’s attorney general of any breach affecting more than 500 residents;
- Companies will now have to provide a year of free credit monitoring services for any resident whose Social Security number was breached.
The change to Delaware’s Cybersecurity requirements is similar to what other states are requiring for their notification laws. Several states already set specific time limits for notification, several of which are shorter than Delaware’s new 60-day deadline. Also, more than 20 states already require notice to the state attorney general or other state regulator in the event of a breach.
What is interesting is Delaware’s new requirement to provide credit monitoring services to affected individuals. Previously, only California and Connecticut had requirements addressing the provision of credit monitoring services.
The Delaware issued new Cybersecurity requirements are important changes for state registered investment advisor firms to consider as you review your own Cybersecurity policies and procedures.
