By Ken Mammarella
Special to Delaware Business Times
Potter Anderson Corroon set up a comprehensive information security program and response plan for a data breach. Mallard Financial Partners paid to upgrade its cloud service for encryption.
Those forward-thinking moves by the Wilmington law firm and Newark financial adviser anticipate a Delaware law on cybersecurity that goes into effect April 14. House Substitute 1 for House Bill 180 requires everyone doing business in Delaware to “implement and maintain reasonable security to protect personal information.”
The law calls for better data protection, more notification after breaches and a year of free credit monitoring for some affected consumers. Officials said Delaware is the 14th state to “impose explicit data security obligations on the private sector” and the second to require free credit monitoring after some breaches.
“I like to say that every business is technology-based since you’re online and collecting information,” said Daniel Eliot, manager of technology business development for the Small Business Development Center at the University of Delaware. “Too many small businesses think that they’re too small to be of interest to hackers, but they’re an easy target to reach a larger target,” he added, exemplifying with a 2013 breach at Target, entered through a heating and air conditioning vendor.
The center, which already offers advice on protecting data, will soon add advice on handling breaches, Eliot said. A state website, https://digiknow.dti.delaware.gov, also offers resources, for firms with no information technology staff to ones interested in keeping their IT staff up to date.
Paul Baumbach, founder of Mallard Financial Partners in Newark and a Democrat representing the Newark area in the House the bill’s main sponsor, estimated his cost to improve security is 5 percent to 10 percent extra for Mallard’s cloud service. And he didn’t even need to do it. The law doesn’t apply to financial and health-care firms governed by higher standards in the 1999 Gramm-Leach-Bliley Act and the 1996 Health Insurance Portability and Accountability Act.
“Our reputation is our business,” he said of the security he increased this year, which included encrypting data already in the cloud. “It’s the right thing that’s good for our business and our customers.” It was also an easy thing that took just a weekend to update the service.
“Encrypt your data, and you’re golden” Baumbach said, also noting that encryption is a “safe harbor” and that some businesses might go for a rider on their business insurance.
Potter Anderson Corroon made sure to have an up-to-date incident response plan. In 2015, 62 percent of businesses surveyed by AT&T had an IT breach, yet only 34 percent had an effective incident response plan.
“A good plan is good business — it’s the right thing to do and it helps to build and protect your brand,” William R. Denny, a cybersecurity expert at Potter Anderson Corroon, wrote in Delaware Business. “Plans are no help when they merely sit on the shelf. The team should review the plan on a regular basis, at least annually, and should run tests and simulations.”
Baumbach said Delaware is also involved in developing uniform definitions for elements of cybersecurity, because a nationwide “patchwork quilt of regulations is bad for business.”
What you need to know about the law
“The new law only applies to persons (i.e., individuals, government agencies, all entities including corporations, LLCs, partnerships, trusts and nonprofits) doing business in Delaware,” said William R. Denny, a cybersecurity expert at Potter Anderson Corroon, chair of the Delaware State Bar Association section that reviewed the draft bill and leader in rewriting it. “Doing business in Delaware means transacting some part of its ordinary business in Delaware or targeting Delaware customers. If a person is not doing business in Delaware, then it is not subject to the Delaware law, even if the information of a Delaware resident is involved in a breach.”
House Substitute 1 for House Bill 180 expands breaches beyond the classic Social Security numbers, driver’s licenses and financial account numbers and passwords. The new categories: passport numbers; logons, passwords and answers to security questions for online accounts; medical histories; health insurance data; DNA profiles; biometric data; and taxpayer identification numbers.
The law also expands what’s not protected. To “information lawfully made available to the general public from government records, the revised law adds ‘widely distributed media,’ ” Denny wrote on Law360, meaning that it includes postings on Facebook and other social media.
Notifications must go out within 60 days of a breach’s discovery, with exceptions. Only owners or licensees of breached data must notify the people; vendors involved only have to notify their clients. “The law assigns responsibility for the risk of harm analysis where it rightfully belongs, with the person that owns or licenses the information,” he said. How notifications are made is to be determined.
The attorney general must be notified about breaches that affect more than 500 Delawareans.
Breaches involving Social Security numbers must include free credit monitoring for a year. Loss of encrypted data won’t be considered a breach — unless the key is stolen as well.
Violations are subject to actions by the attorney general “to ensure proper compliance … recover direct economic damages resulting from a violation, or both,” the law says.