in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Delaware Updates Data Breach Notification Rules

Delaware, the second-smallest state but the leader in business incorporations, at least within the USA, has updated its legal framework regarding data breach notifications. Beginning on August 14, 2018, companies that experience a data breach must notify any affected individuals in Delaware within 60 days. In addition, credit monitoring – free of charge, of course – is now a legal requirement, not a "favor" or "show of goodwill" on the part of the companies.

And there's more, much more.  

Changes, Long Time Coming

Delaware is famous for being a pro-business state; there's a reason why over 60% of Fortune 500 business are legally incorporated there. Indeed, it's so pro-business that sometimes it seems that Delaware residents take a back seat to their "legally-people" brethren. Case in point: the original data breach laws Delaware passed in 2005, and all the problems it had.

Well, in less than one year, real people will see their rights elevated:

  • Reasonable protection of personal information.
    • Includes an update on the definition of "encryption."
    • A change in the language so that, if encryption is compromised in the data breach, encryption as safe harbor doesn't kick in.
  • Updated definition of "personal information."
    • Under the new law, medical information; biometric data; user names and passwords; health insurance policy numbers; passport numbers; financial account routing numbers; and individual taxpayer identification numbers, among others, have been added as personal information.
  • Notification to residents within 60 days of a data breach.
  • Notification to the Attorney General if more than 500 people are affected.
  • Free credit monitoring for one year.
Obviously, the above doesn't cover everything. The legislature included a handy synopsis in the bill, copied verbatim below. As you read over the list, you'll notice that an effort was made to remove certain things, which is interesting as well.
This Act revises HB 180 to reflect input from a wide group of stakeholders. This Substitute Act differs from HB 180 as follows:
  • Terminology has been revised to be more accurate and consistent.
  • A definition of "person" is added and includes government, consistent with current law.
  • A definition of “determination of breach of security” is added.
  • Marriage certificates, full birth dates and birth certificates, shared secrets and security tokens, and digital or electronic signatures are removed from the definition of "personal information."
  • An application for health insurance is removed from the definition of personal information because all of the information in an application that is of concern is separately listed in the definition of personal information.
  • Removes the requirement that the Department of Justice develop regulations and a model form of notice.
  • Clarifies how to provide notice if a breach involves login credentials of an email account that is the basis of the breach.
  • Clarifies that notice of a breach can be provided after 60 days from discovery when it is determined at a later time that the breach includes additional residents.
  • Provides examples of federal laws that can be complied with to constitute compliance with this chapter.
  • Removes the private right of action for the failure of a person to provide notice under this chapter. The Common Law cause of action for actual damages as a result of a breach is unaffected by this change.

Some Controversy

On providing credit monitoring for free, some have pointed out the potential outsized effect on small and medium sized businesses.

In this day and age when it's easier than ever to compile extremely large databases, even for the smallest mom-and-pop store, the concerns are more than valid. Indeed, when you think about it, many things work against small businesses, especially when it comes to data security. For example, they ostensibly have less money than a megacorporation, meaning they cannot afford the best digital security on offer. Nor can they afford to upgrade their existing security as often. Nor can they guarantee access to dedicated IT professionals who could potentially lower the risk of a data breach in their day-to-day jobs.

On the other hand, hackers don't give breaks just because you happen to be an SMB. And, at the end of the day, if 100,000 people (or more!) are affected by a data breach, the damage is the same whether the breached entity is a business operated by two people or twenty-thousand people.

 

Related Articles and Sites:
https://www.bna.com/delaware-adds-stringent-n73014463341/
https://www.lexology.com/library/detail.aspx?g=4a54016c-c241-4327-8127-e35a36bcb6a1
http://legis.delaware.gov/BillDetail/26009

 
<Previous Next>

NIST Guy Who Came Up With Hair-Tearing Password Requirements Says He's Sorry

Equifax Hack Affects 143 Million SSNs

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.