Businesses are now required to provide free credit monitoring after data breaches in Delaware

A host of consumer protections are included in a new law designed to update the state's cybersecurity definitions and requirements for those storing personal information.

Thanks to the passage of a new law, internet users in Delaware can gain a little peace of mind.

Gov. John Carney signed into law Thursday new consumer protections, including a provision that requires businesses collecting personal information to provide free credit monitoring services to those whose Social Security numbers were compromised. Delaware is only the second state — after Connecticut — to create such a requirement.

“We live in a digital world where threats to personal information are becoming more common, and the cyber threat is one of the most serious economic challenges we face,” Carney said in a statement. “It makes sense to offer additional protections for Delawareans.”

The legislation — House Substitute 1 for House Bill 180 — also holds those collecting personal information to a higher standard for its protection and establishes new definitions for concepts like “encryption” and “breach of security” to ensure that the new requirements are both meaningful and enforceable.


To provide businesses with training and resources to help protect consumer data, the state has also been partnering for the past two years with the University of Delaware (UD), which offers a masters program in cybersecurity.

“UD is devoting unique resources to developing and advancing technologies and solutions for a safe and resilient cyberspace by contributing our expertise in computer science, corporate governance and public policy,” UD President Dennis Assanis said in a statement.

The new law, which represents the first updates to Delaware’s cybersecurity requirements in more than a decade, covers both accidental or intentional disclosure of personal information on electronic or paper files. Businesses are required to notify those whose information has been compromised within 60 days, unless a shorter timeframe is stipulated by federal law.

The final form of the legislation removed certain items — such as marriage certificates, full birth dates and birth certificates, shared secrets and security tokens, and digital or electronic signatures — from the definition of “personal information” that were included in initial versions of the legislation. The final version also removed a requirement that the Department of Justice develop regulations and a model form of notice.

James Collins, the state’s chief information officer at the Delaware Department of Technology and Information, noted in a statement that the new law is an important step toward stemming identity theft and fraud.


“We all know that prevention is the best strategy and that is our main goal,” Collins said. “We want to be proactive so that our citizens and business community can avoid these threats.”

Latest Podcasts