Delaware Toughens Data Breach Notification Law

Will Other States Follow and Adopt Similar Measures?

Say the phrase “cybersecurity regulation” in the Republican-run Congress, and watch lawmakers flee in all directions. The word “voluntarily” is very popular on Capitol Hill, as in allowing businesses to “voluntarily” adopt – and not mandate – the implementation of the National Institute of Standards and Technology cybersecurity framework.

But not so in some states, especially those with Democratic governors and legislatures. Lawmakers in those states aren’t afraid to place some requirements on businesses to ensure the security and privacy of consumers’ data.

That was the case in Delaware earlier this month, when Gov. John Carney signed legislation making it the second state – the first was Connecticut – to require organizations to provide residents one year of free credit monitoring services if their sensitive personal information is compromised in a data breach.

“It makes sense to offer additional protections for Delawareans who may have their information compromised in a cybersecurity breach,” the Democratic governor said at a recent signing ceremony at the University of Delaware, which offers a master’s program in cybersecurity and a program to train small businesses to identify cybersecurity threats.

Follow the Leaders?

Some experts see other states following Delaware and Connecticut in hardening their cybersecurity laws to place some requirements on businesses to protect consumer data.

“It is an important and necessary tool to help safeguard consumers and patients,” says Ebba Blitz, CEO at endpoint encryption provider AlertSec. “Lawmakers are enacting change intending to help, not hurt. Everyone needs to be aware and proactive to ensure our personal and private data is protected.”

Continue reading…