Delaware - Sectoral Privacy Overview
The Delaware Constitution of 1897 (as amended) ('the Constitution') does not specifically provide for a right to privacy. However, Section 6 of Article I of the Constitution does provide an analogue of the Fourth Amendment of the Constitution of the United States, prohibiting unreasonable searches and seizures. Moreover, the Delaware Supreme Court ('the Supreme Court') has recognised that Delaware has "a commitment to protecting the privacy of its citizens".
2.1. Statutory right to privacy
2.1.1. Eavesdropping and surveilling
§1335 of Subchapter VII of Chapter 5 of Title 11 of the Delaware Code ('Del. C.') provides Delaware's primary criminal invasion of privacy law, and makes it unlawful to trespass for the purpose of surveilling or eavesdropping on a subject, as well as prohibits the installation or use of specified eavesdropping methods and equipment. In other words, to avoid violation of 11 Del. C. §1335, all parties to a conversation would need to consent to the recording of that conversation. In addition, 11 Del. C. §1335 makes it unlawful to place an electronic or mechanical location tracker in a motor vehicle without the consent of the owner, recording persons in a state of undress or knowingly reproducing or distributing a visual depiction of nudity or sexual conduct.
11 Del. C. §2402 prohibits a person from intentionally intercepting, attempting to intercept, or procuring any other person to intercept any wire, oral, or electronic communication. The law also prohibits the use or disclosure of the contents of any information contained in a communication intercepted in violation of the above prohibition. However, under 11 Del. C. §2402, an interception may be permissible if the person is a party to such communication, or if one of the parties to the communication has given consent. Both 11 Del. C. §§1335 and 2402 provide exceptions for qualifying law enforcement activities or to permit certain functions of telephone companies. Additionally, 11 Del. C. §1335 provides an exception for the installation of devices by a parent or guardian to track a minor child's location.
The Delaware Online Privacy and Protection Act ('DOPPA'), under §1201C et seq. of Chapter 12C of Subtitle II of Title 6 of the Del. C., creates regulatory compliance obligations for 'operators' in three areas:
- internet websites, online or cloud computing services, and online or mobile applications, generally referred to as 'services' and 'platforms,' directed at children;
- posting of privacy policies; and
- privacy protections relating to users of digital books.
DOPPA empowers the Consumer Protection Unit of Delaware's Department of Justice with investigatory and enforcement powers. An 'operator' for the purposes of DOPPA is a person owning a covered service or platform. Third parties that operate, manage or host, but do not own a service or platform, are not considered 'operators' for the purposes of DOPPA.
Advertising to children
DOPPA regulates operators only as far as they provide services or platforms that are 'targeted or intended to reach an audience that is composed predominantly of children' (6 Del. C. §1202C). However, this does not include services or platforms that merely refer or link to another service or platform that is directed at children. Operators can also be liable under DOPPA if, despite not directing their services or platforms to children, they have actual knowledge that children are accessing the services or platforms. In such an event, an operator cannot knowingly use, disclose, or compile the personal information of that child, nor can an operator allow another to do the same. An operator that provides a covered service or platform cannot advertise or market content that is inappropriate for children. In this regard, DOPPA provides an enumerated list of prohibited content, including alcohol, tobacco, firearms, fireworks, tanning equipment and facilities, lotteries and gambling, tattoos, drug paraphernalia, and pornography. It should be noted that an operator need not monitor the foregoing if it is using an advertising service and it ensures that such service is complying with DOPPA.
DOPPA also requires certain online operators, which collect personally identifiable information about their users, to conspicuously publish privacy policies on their sites, services, or applications (6 Del. C. §1202C ). This requirement applies to any platform or service. DOPPA does not define the term 'commercial', however, the term likely applies to operators operating a service or platform for profit. Under DOPPA, a 'user' is defined as an individual who uses the operator's service or platform. 'Personally identifiable information' means personally identifiable information about a user that is collected by an operator, including first and last name, physical address, email address, social security number, telephone number, or any other identifier that permits the physical or online contacting of the user.
If an operator is covered by DOPPA, it must provide a policy that identifies:
- the types of personally identifiable information being collected;
- the categories of third parties with whom the operator may share such information;
- a procedure for a user to review and request changes to that user's information;
- the effective date of the policy; and
- how the operator will notify users of changes to the policy.
- it is posted on the home page or the first significant page after entering the website;
- it is accessed through a text link meeting the requirements directly above, if the word 'privacy' is written in capital letters equal to or greater in size than the surrounding text, or in larger or contrasting type than the surrounding text;
- it is otherwise set off; or
- any other functional hyperlink displayed so that a reasonable individual would notice the link.
DOPPA also provides protections relating to digital books so that a user's 'book service information' cannot be disclosed without the user's consent (6 Del. C. §1206C). Under DOPPA, a covered 'book service' means an entity, which as its primary purpose provides individuals with the opportunity to rent, purchase, borrow, browse, or view books electronically or via the internet. A 'book service provider' is any commercial entity offering a book service to the public, except that a commercial entity that offers a variety of consumer products to the public will not qualify as a book service provider if its book service sales do not exceed 2% of the entity's total annual gross consumer sales in the US. 'Book service information' means any information that identifies or relates to a user, unique identifiers or IP addresses when used to identify or associate a particular user or book, or any information relating to a user's access to a book service or a book. DOPPA makes exceptions to the above if disclosure is to law enforcement, if there is an imminent danger of death or serious physical injury, or if the book service provider discloses such information to law enforcement because it believes that information is evidence directly related or relevant to a crime against the provider or the user.
2.1.3. The SDPPA
The Student Data Privacy Protection Act ('SDPPA'), under §8101A et seq. of Chapter 81A of Title 14 of the Del. C., prohibits online operators from engaging in a variety of unlawful conduct, including:
- targeted advertising based on a student's information, including state-assigned student identifiers;
- creating a profile of the student using such information, except in furtherance of K-12 school purposes;
- selling student data, except under limited circumstances; or
- absent an exception, disclosing the student data.
The SDPPA defines 'student data' as personally identifiable information that:
- is student performance information;
- is created or provided by a student or parent to an employee or agent of the Delaware Department of Education ('DOE'), school district, or school;
- is created or provided by a student or parent to an operator while using the operator's site, service, or application for K-12 school purposes;
- is created or provided by an employee of the school district or school, to the operator; or
- is gathered by the operator and can be used to trace the identity of the student or is linked to information that can be used for this purpose, including a variety of statutory examples, such as name, address, phone number, biometric data, online or cellular device activity, and educational records.
An 'operator' under the SDPPA is defined as any person, other than the DOE, school districts, or schools, if such person:
- operates an internet website, online or cloud computing service, or online or mobile application that is used primarily for K-12 purposes and was designed and marketed for K-12 school purposes; or
- collects, maintains, or uses student data in a digital or electronic format for K-12 school purposes.
In addition to limiting how student data may be used, the SDPPA also mandates that operators set up and maintain reasonable security procedures that protect the student data that they collect and process from unauthorised access, use, disclosure, destruction, or modification. Such security procedures must, at minimum, meet the Delaware Department of Technology and Information's ('DTI') Cloud and Offsite Hosting Policy and include the terms and conditions set forth in the DTI's Cloud and Offsite Hosting Template for Non-Public Data (14 Del. C. §8104A). Operators must also delete a student's data within a reasonable time after receiving a request from the school district of the school controlling the data, but such deletion must occur no later than 45 days from the request. Note that the SDPPA does not apply to internet websites for general audiences, and internet service providers are not restricted from providing internet connectivity to schools and students, among other exclusions (14 Del. C. §8106A).
2.1.3. The Data Market Participant Bill (Pending)
The Data Market Participant Bill, modelled after a similar act in Vermont governing data brokers, has been introduced as House Bill ('HB') 262 and passed in the State House of Representatives on 4 May 2022. It is pending in the Senate, after which, if passed, will come before the Governor. If passed, it will introduce a Chapter 12D in Title 6 of the Del. C. The Data Market Participant Bill seeks to provide consumers with critical information about how their personal information is being used by data market participants. The bill in its current form applies to data market participants, defined, with certain exceptions, as any entity that both (a) knowingly maintains or collects the brokered personal information of at least 500 consumers, and (b) either sells or licenses such information to one or more independently operated businesses. Exceptions include (x) financial institutions to the extent governed by the Gramm Leach Bliley Act of 1999 ('GLBA') and (y) the collection and sale or licensing of brokered personal information incidental to the following activities:
- providing 411 directory assistance;
- providing publicly available information related to a consumer’s business;
- providing publicly available information via real-time alerts for health or safety purposes;
- providing information to a potential employer, governmental agency or contractual counter-party relating to a background check with the written authorization of the individual; or
- providing information where authorized by the Motor Vehicle Administration.
The Data Market Participant Bill requires data market participants to register with the Consumer Protection Unit of the Delaware Department of Justice and answer questions regarding the use of personal information that would be published online to inform consumers. A fee schedule is established based on the size of the data market participant that would fund the enforcement of the statute. Registration only applies to data market participants who sell or license information. As such, entities or individuals who collect personal information but do not sell or license that personal data are not required to register . The bill prohibits acquiring or providing brokered personal information where it will be used for certain unlawful purposes or where it was obtained through fraudulent means. The bill requires data market participants to protect brokered personal information.
The Data Market Participant Bill vests enforcement authority with the Attorney General ('AG') of the State of Delaware, although such enforcement authority is not exclusive. The bill does not expressly provide a private right of action. The effective date of the Data Market Participant Bill will be one year following enactment.
2.2. Common law right to privacy
The Supreme Court has adopted the Restatement (Second) of Torts ('the Restatement') as a basis to analyse claims for invasion of privacy. As in the Restatement, Delaware recognises four distinct causes of actions for invasion of privacy:
- intrusion on a plaintiff's physical solitude;
- publication of private matters violating the ordinary senses;
- putting a plaintiff in a false position in the public eye; and
- appropriation of some element of a plaintiff's personality for commercial use.
2.2.1. Intrusion upon seclusion
A person is liable for intrusion upon seclusion under Delaware law if the person intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another, including their private affairs or concerns, and the intrusion would be considered highly offensive to a reasonable person (Barker v. Huang, 610 A.2d 1341, 1350 (Del. 1992)). Delaware courts have found that there will be no 'intrusion' if the plaintiff consents to the act, even in cases where the consent is obtained through false pretences (Beckett v. Trice, 1994 WL 710874, at *6 (Del. Super. Ct. Nov. 4, 1994)).
2.2.2. Publication of private matters
A person is liable for the tort of publication of private matters violating the ordinary senses if that person gives publicity to a matter concerning the private life of another, which could be considered highly offensive to a reasonable person. However, liability will only arise if the matter being made public is not a legitimate concern to the public (Spence v. Cherian, 135 A.3d 1282, 1288 (Del. 2016)). Whether a matter is made public is a fact-sensitive analysis; however, the Delaware courts consider that a matter is made public when it is communicated to the public at large or to a sufficient number of persons that the matter can be considered as part of the public knowledge (Id). Thus, this tort concerns public, not private, communication.
2.2.3. False light
A false light invasion of privacy claim arises in Delaware when a person knowingly or in reckless disregard of the falsity of their statements makes a matter public that places a plaintiff in a false light in the eye of the public, but only if that false light would be highly offensive to a reasonable person (Shearin v. E.F. Hutton Grp., Inc., 652 A.2d 578, 597 n.23 (Del. Ch. 1994)). This tort does not provide liability for publication of matters that are merely less than favorable to the plaintiff.
2.2.4. Appropriation of name or likeness
This tort permits damages in the event that some element of a person's likeness is used commercially without their consent (Gassis v. Corkery, 2014 WL 3565418 (Del. Ch. July 21, 2014)). A typical claim in this regard would be the use of a photograph for advertising purposes without the permission of the person photographed.
Delaware provides a variety of privacy protections with regard to health information. This includes disclosure protection and record retention and destruction requirements. For example, Delaware law prohibits nursing facilities from disclosing medical records without the express consent of the resident (§1121 of Subchapter II of Chapter 11 of Title 16 of the Del. C.). Nursing home residents also have the right to inspect and purchase copies of their records. Failure to follow these requirements can result in civil penalties. Abuse treatment facilities, mental health hospitals, and residential centres are likewise required to treat patient records as confidential and cannot disclose patient records without the patient's consent (§2220 of Chapter 22 of Title 16 of the Del. C. and §5161 of Subchapter V of Chapter 51 of Title 16 of the Del. C.).
Dental practices in Delaware are also prohibited from disclosing information relating to the diagnosis, treatment, or health of any dental plan enrolee, except to the extent necessary to comply with laws regarding dental plan organisations, court order, or with the express consent of the enrolee (§3820 of Chapter 38 of Title 18 of the Del. C.). Managed care organisations have similar restrictions (§6412 of Chapter 64 of Title 18 of the Del. C.).
Delaware law prohibits the collection of genetic information about a person without informed consent (§1201 et seq. of Subchapter I of Chapter 12 of Title 16 of the Del. C.). To obtain informed consent, the law requires that the individual sign a consent form that includes a description of the information to be collected and/or retained and its purpose and potential uses. The law does, however, permit certain exceptions to informed consent. For example, law enforcement is permitted to forgo the informed consent requirement if needed to establish an individual's identity during the course of a criminal investigation, to determine paternity, or to determine the identity of a deceased individual. To the extent that such information is collected, it cannot be disclosed or compelled to be disclosed in a manner that would allow the identification of the underlying individual. Finally, persons covered by the law are permitted to inspect, request correction of, and obtain genetic information from their records.
Delaware law similarly prohibits the disclosure of the identity of an individual on whom an HIV test had been performed, or the results of such a test in any manner that would allow the identification of that individual (§717 of Subchapter II of Chapter 7 of Title 16 of the Del. C.). The law does, however, provide exceptions, including disclosure to the test subject, legal guardian, health care providers, and those that receive a legal release for the information. The law provides a private right of action for persons harmed by an unlawful disclosure.
The Insurance Data Security Act ('ISDA'), under §8601 et seq. of Chapter 86 of Title 18 of the Del. C. (discussed in section 10.4. below), includes broad categories of information in the definition of 'non-public information', including information created by or derived from a health-care provider that can be used to identify a consumer if it relates to past, present, or future physical, mental or behavioural health or conditions of a consumer or family member; the provision of health care to a consumer, or payment for the provision of health care to a consumer.
Finally, §12B-100 et seq. of Chapter 12B of Subtitle II of Title 6 of the Del. C., referred to as the 'Computer Security Breaches Law' (discussed in section 10.1. below), includes a person's DNA profile, medical history and treatment, diagnosis of mental and physical conditions, health insurance policy numbers, subscriber identification number, and any other unique identifier used by a health insurer, in the definition of personal information. This means that data notification requirements may be triggered for qualifying security breaches involving these categories of information. Note, however, that persons and entities regulated by the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA') are not required to comply with the Computer Security Breaches Law if they maintain procedures for breach notification pursuant to HIPAA and notify affected Delaware residents of a data breach in accordance with those procedures. Delaware's law requiring the destruction of records (discussed in section 9 below) is also inapplicable to health care providers subject to the privacy and security requirements of HIPAA (§5004C of Chapter 50C of Subtitle II of Title 6 of the Del. C.).
Delaware does not have a data protection law that is specific to financial information. However, financial information is included in several laws with regard to data protection generally. For example, as discussed in section 10.1. of the Guidance Note, the Computer Security Breaches Law includes financial information, including account numbers and information that would allow access to a financial account, in the definition of personally information protected by the law. Similarly, ISDA and other insurance laws require Delaware insurers to maintain the privacy of consumer financial and health information.
5.1. Access to personnel files
§732 of Subchapter IV of Chapter 7 of Title 19 of the Del. C. requires that employers, upon request, allow employees to inspect their personnel files that are used in connection with those employees' qualifications for employment, promotion, additional compensation, termination, or disciplinary action. These records must be made available during regular business hours. However, employers may require that the records be inspected during the employees' free time, but the employees must be given a reasonable amount of time. Under the law, employers may, in their discretion, require that employees file a written request which indicates either the reason for the inspection or the particular parts of the records requested. An employee reviewing covered records may take notes, but the employer is not required to allow the employee to remove the records from the premises and a designated officer is permitted to be present during the inspection of the records (19 Del. C. §733). Required inspections under this law may be limited to once per year unless additional inspections are needed based on a reasonable cause. An employer who refuses an employee's access to their personnel files in violation of the law can be subjected to a civil penalty of $1,000 to $5,000 per violation (19 Del. C. §735).
In the event that there is a dispute regarding the information contained in the records, the law permits an employer and employee to come to an agreement regarding any such dispute. If no agreement is reached, the employee has the right to submit a written statement regarding the disputed information that must be included in the records and must be transmitted with those records as part of any disclosure to a third party (19 Del. C. §734).
5.2. Disposal of records
19 Del. C. §736 requires employers seeking to permanently destroy or dispose of records containing an employee's personal identifying information and to take all reasonable steps to destroy or arrange for the destruction of those records by shredding, erasing, or otherwise destroying or modifying the personal identifying information in the records to make it unreadable or indecipherable. The law permits a civil action to be brought against an employer that intentionally or recklessly violates the law's requirements.
5.3. Background checks
§711 of Subchapter II of Chapter 7 of Title 19 of the Del. C. makes it unlawful for an employer to inquire into or consider the criminal record, criminal history, credit history, or credit score of a job applicant during the initial application process, including and up to the first interview. If the applicant is otherwise qualified, public employers are permitted to make such inquires after the first interview has occurred. The law permits public employers to disqualify an applicant based on their criminal history if the exclusion is related to the position in question and consistent with business necessity. In making such a determination, the public employer must consider the nature and gravity of the offense or conduct, the time that has passed since the incident or the completion of a sentence, and the nature of the job being sought. Note that the prohibitions of the law do not apply to police positions or any other position where federal or state law requires or permits a consideration of criminal history. For example, Delaware law requires that licensed nursing facilities, including assisted living facilities, and other similar facilities, conduct a criminal background check for their employees.
5.4. Employee references
Under Delaware law, an employer is permitted to disclose information about a current or former employee's job performance to a prospective employer and is immune from liability, unless it can be demonstrated that the disclosure was made in bad faith (§709 of Subchapter I of Chapter 7 of Title 19 of the Del. C.). Bad faith may be established if the information provided was knowingly false, deliberately misleading, or rendered with malicious purposes; or was disclosed in violation of a nondisclosure agreement or was otherwise legally confidential.
5.5. Employee monitoring
It is an unlawful practice under Delaware law for employers to monitor or intercept an employee's telephone conversation, email or electronic transmission, or internet access or use information of an employee (19 Del. C. §705). An employer may monitor or intercept such information, however, if it either:
- provides an electronic notice of its monitoring policies to the employee during each day that the employee accesses the employer-provided email or internet; or
- has first given a one-time notice to the employee of the monitoring activity that is in writing, in an electronic record, or other electronic form, which notice has been acknowledged by the employee in writing or electronically.
The law also permits such monitoring in court-ordered actions, or to permit the employer to allow for computer system maintenance or protection processes. As noted above, there are also potential criminal implications for unlawful surveillance.
5.6. Employee social media accounts
Delaware law provides that it is an unlawful employment practice for an employer to require or request an applicant or employee to do any of the following (19 Del. C. §709A):
- disclose username or password information to enable the employer to access the applicant's or employee's personal social media;
- access personal social media in the presence of the employer;
- use personal social media as a condition of employment;
- divulge any personal social media, unless an exception applies;
- add a person, including the employer, to the list of contacts associated with the personal social media of the employee or applicant, or invite or accept an invitation from any person, including the employer, to join a group associated with such personal social media; or
- alter the settings of an employee's or applicant's personal social media that affect a third party's ability to view its contents.
Employers are also prohibited from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee for refusing to comply with a demand for access that violated the above restrictions. These restrictions, however, do not apply to accessing devices or services provided by the employer, provided that such devices or services are provided for work purposes. Neither do the restrictions apply to electronic data stored on the employer's network. Additionally, an employer may investigate employee misconduct and may view information about an employee or applicant if that information is in the public domain.
5.7. Employee genetic information
Delaware law prohibits employers from intentionally collecting, directly or indirectly, any genetic information concerning an employee or applicant, or a member of the family of such employee or applicant, unless the employer can demonstrate that the information is job-related and consistent with business necessity, or that the information is sought in connection with the retirement system of the employer or the underwriting or administration of an employee benefit plan (19 Del. C. §711).
5.8. Employee compensation history
Delaware prohibits employers from seeking the pay history of applicants prior to making an offer of employment (19 Del. C. §709B).
See section 2.1.2. above.
See section 2.1.3. above.
Delaware does not have a specific 'do-not-call' statute; however, the federal National Do Not Call Registry does apply in the state. Additionally, under the Delaware Telemarketing Fraud Act, under §2501A et seq. of Subchapter 25A of Subtitle II of Title 6 of the Del. C., it is a prohibited telemarketing practice to wilfully contact a customer by telephone for ten years after having been contacted, orally or in writing, by the customer or the customer's representative seeking to cease and desist from such calls or contacts. A contact or call is 'wilful' for these purposes if the person making it knows, or should have known, about the customer's instruction not to call or contact (6 Del. C. §2507A).
See section 2.1.2. above.
Delaware law establishes requirements for the safe destruction of records containing personal identifying information by commercial entities (§5001C et seq. of Chapter 50C of Subtitle II of Title 6 of the Del. C.). If a commercial entity intends to permanently dispose of records containing personally identifying information, it must take reasonable steps to destroy or arrange for the destruction of the records by shredding, erasing, or otherwise destroying or modifying the personal identifying information in the records to make it unreadable or indecipherable. Under the law, certain businesses are exempt, such as banks and other financial institutions subject to the federal GLBA, health insurers and health care facilities subject to federal HIPAA requirements, consumer reporting agencies subject to the federal Fair Credit Reporting Act of 1970, and governmental subdivisions, agencies, or instrumentalities. 6 Del. C. §5001C(3) defines 'personal identifying information' as a consumer's first name or first initial and last name in combination with any one of the enumerated elements in the statute that relate to the consumer, when either the name or the data elements are not encrypted, including social security number, passport number, driver's license or state identification card number, insurance policy number, financial services account number, bank account number, credit or debit card number, tax or payroll information, confidential health care information, diagnosis, condition or treatment, or evaluation from a health care provider who has treated the patient. 'Records' are defined as non-public information that is inscribed on a tangible medium, or that is stored in an electronic or other medium and is retrievable in perceivable form on which personal identifying information is recorded or preserved.
The retention of genetic information is prohibited without the informed consent of the individual, and a genetic sample must be destroyed promptly, although there are specified exceptions to both of these requirements (16 Del. C. §1203).
Under the SDPPA, operators in possession of student data must delete such data within a reasonable time (not to exceed 45 days) on the request of a school district or school having control of the data (14 Del. C. §8104A).
10.1. Breach of security
The Computer Security Breaches Law requires persons conducting business in Delaware and owning, licensing, or maintaining personal information of Delaware residents to implement and maintain reasonable procedures and practices to prevent the unauthorised acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business (6 Del. C. §12B-100). Such 'persons' include individuals, business entities and governmental agencies (6 Del. C. §12B-101).
In the event of a breach of security, the person doing business in Delaware who owns or licenses computerised data that includes personal information about a Delaware resident must provide notice of the breach without unreasonable delay, but no later than 60 days after the determination of the breach of security to any Delaware resident whose personal information is reasonably believed to have been breached, unless, a shorter time is required under federal law, a law enforcement agency determines that notice would impede a criminal investigation and such agency has requested a delay in notification, when a person required to give notice could not, through reasonable diligence, or identify within 60 days that personal information of certain residents of Delaware was included in the breach (6 Del. C. §12B-102). In such a case, notice must be made as soon as practicable after such determination is made. If, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to such an individual (6 Del. C. §12B-101 et seq.), no notice is required. Also, the Delaware AG must be notified if the affected number of Delaware residents to be notified exceeds 500.
A breach of security is defined as the unauthorised acquisition of computerised data that compromises the security, confidentiality, or integrity of personal information. It is not considered a beach of security if the information is encrypted. However, this safe harbour does not apply if the encrypted data and the encryption key are breached, and there is a likelihood that the key could be used to unencrypt the data.
The Computer Security Breaches Law defines 'personal information' as a Delaware resident's first name or first initial and last name in combination with any of the following elements, provided that either the name or the data elements are not encrypted:
- social security number;
- driver's license number or state or federal identification card;
- account number or credit or debit card number, in combination with any code, access code, or password that would allow access to the resident's financial account;
- passport number;
- username or email address, in combination with a password or security question and answer that would permit access to an online account;
- medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile;
- health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person;
- unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes; and
- an individual taxpayer identification number.
Personal information does not include publicly available information lawfully made available to the public from a government record or widely distributed media.
Persons who maintain computerised data that includes personal information, but do not own or license that information (i.e. vendors), must give immediate notice to the owner or licensee of the information upon its determination that there has been a breach of security (6 Del. C. §12B-102). The vendor must provide immediate notice without any consideration of whether there is a risk of harm.
If the breach includes social security numbers, the owner or licensee of the information must offer credit monitoring services, at no cost, to Delaware residents whose data was breached for a period of one year.
10.2. Drivers' licenses/motor vehicle records
§305 of Chapter 3 of Title 21 of the Del. C. generally prohibits the disclosure of personal information obtained as part of a motor vehicle record. However, such information may be released under certain limited circumstances, including to a legitimate business to verify the accuracy of personal information submitted by an individual to a business or to obtain correct information for purposes of preventing fraud if information submitted by the individual is incorrect. This information may also be released to an employer or insurer to obtain or verify information relating to a holder of a commercial driver's license required under federal law. Information also may be released if the requestor provides a notarised, written consent from the individual whose information is sought.
10.3. Electronic communications
Under Delaware law, a person or entity providing an electronic communications service or a remote computing service may not knowingly divulge to any other person or entity the contents of an electronic communication while it is in the service's electronic storage (§2422 of Subchapter II of Chapter 24 of Title 11 of the Del. C.). Exceptions to this law apply for disclosure to addressees or intended recipients of the communication, disclosure with the consent of the originator or an addressee or intended recipient, or other specified circumstances. Law enforcement officials may also require disclosure under specified circumstances (11 Del. C. §2423).
Delaware recently enacted the ISDA, which requires Delaware insurers to develop, implement, and maintain a comprehensive, written information security program (18 Del. C. §8604). The program must be based on the insurer's risk assessment and contain administrative, technical, and physical safeguards for the protection of 'non-public information' and the insurer's information system. The information security program must also protect the security and confidentiality of such information, protect against threats or hazards to the security of that information, protect against unauthorised access to such information, define and evaluate a schedule for retention of such information, and provide a mechanism for the destruction of the information when no longer needed. The IDSA also requires that covered insurers promptly, but within not more than three business days, give notification to the Delaware Insurance Commissioner ('the Commissioner') of a data breach if, for Delaware domiciled or home state insurers, there is a reasonable likelihood of materially harming a consumer or any material part of the insurer's normal operations, or notice is required to be given to a government body or self-regulating agency under any state or federal law (18 Del. C. §8606). For all other insurers licensed in Delaware, the requirements for notice are the same, but notice is not triggered unless the insurer has reasonable belief that the non-public information involved relates to 250 or more consumers. The notice must include, among other things and to the extent knowable at the time:
- the date of the breach;
- a description of how the information was exposed, lost, stolen, or breached;
- how the breach was discovered;
- whether any lost, stolen, or breached information has been recovered and, if so, how it was lost, stolen, or breached;
- the identity of the source of the breach;
- whether the insurer filed a police report or notified a regulatory, government, or law enforcement agency;
- a description of the specific types of information acquired without authorisation;
- the period during which the breach compromised the information system;
- the total number of consumers in Delaware that were affected by the breach;
- the results of an internal review identifying a lapse in either automated controls or internal procedures, or confirming that the automated controls or internal procedures were followed;
- a description of efforts being undertaken to remediate the situation;
- the name of a contact person who is both familiar with the breach and authorised to act for the insurer.
18 Del. C. §8603 defines 'non-public information' as electronic information that is not publicly available information and is at least one of the following:
- information concerning a consumer which, because of name, number, personal mark, or another identifier, can be used to identify the consumer, in combination with any one or more of the following data elements:
- social security number;
- driver’s license number or nondriver identification card number;
- financial account number or credit or debit card number;
- a security code, access code, or password that would permit access to a consumer’s financial account; or
- a biometric record;
- information or data, except age or gender, in any form or medium created by or derived from a health-care provider or consumer that can be used to identify a consumer and relates to any of the following:
- the past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of a consumer’s family;
- the provision of health care to a consumer; or
- payment for the provision of health care to a consumer.
The IDSA also mandates that insurers provide notice to affected consumers, if it is determined that a breach has a reasonable likelihood of materially harming a consumer and the event is one in which notification to the Commissioner is required. Notice must occur within 60 days of the discovery of the breach unless certain exceptions apply, such as if the notice would impede a criminal investigation. If the breach involves social security numbers, the insurer must offer one year of free credit monitoring services. The IDSA also provides certain notice requirements to third-party service providers and reinsurers (18 Del. C. §8606).
Delaware law also prohibits insurers regulated under the Delaware Insurance Code from disclosing any non-public personal financial information in violation of the GLBA. The Commissioner has adopted regulations ('the Regulations') specifying these non-disclosure requirements (§301 et seq. of Title 18 of the Delaware Administrative Code ('Del. Admin. C.'). The Regulations define 'non-public personal information' to encompass non-public personal financial information, which in turn is defined to include personally identifiable financial information as set forth in the Regulations.
The Family Educational Rights and Privacy Act of 1974 ('FERPA') regulations require each school district, charter school, and private school to develop and maintain a written policy regarding the educational records of its students (§251 of Title 14 of the Del. Admin. C.). The policy must address, among others, the access to, amendment of, and confidentiality of those records. Covered schools must periodically review such policies to ensure their compliance with the 20 U.S.C. §1232g.
The HIV Testing for Insurance Act, under §7401 et seq. of Chapter 74 of Title 18 of the Del. C., provides that an insurer may not require that an applicant submit to an HIV test unless the insurer obtains the applicant's prior written informed consent, reveals the uses to which test results may be put and to whom they may be disclosed, and provides the applicant with written information on the testing. Insurer disclosure of test result information is strictly limited by the statute to situations such as reports to a medical information exchange agency.
Additionally, the Computer Security Breaches Law, discussed above, includes health insurance policy number, subscriber identification number, and any other unique identifier used by a health insurer, in the definition of personal information (6 Del. C. §12B-101). However, a person regulated by HIPAA is not obligated to comply with the Computer Security Breaches Law to the extent that it maintains procedures for breach pursuant to HIPAA and notifies affected Delaware residents of a data breach in accordance with such procedures (6 Del. C. §12B-103).