State Security Notification Laws - New Jersey and Delaware

Posted by BAS - 23 August, 2012

header-picture

In Part Two of this series on state breach notification laws, we will review two Mid-Atlantic state privacy laws – Delaware and New Jersey – and compare them to the Pennsylvania Breach of Personal Information Notification Act (Click here to read Part One of the series).

Delaware and New Jersey have enacted statutes to ensure that residents are notified when their personal data has been compromised.

Who Must Comply?

Similar to the Pennsylvania statute, Delaware and New Jersey both require entities that do business in their state to comply with notification laws. The Delaware law also applies to entities that license data that includes personal information about Delaware residents.

What is Personal Information?

Pennsylvania, Delaware and New Jersey define personal information as: 1) Social Security number, 2) Driver’s license or State Identification Card number, or 3) account number, credit or debit card number in combination with the required code that would permit access to the individual’s financial account.

What is a Breach?

New Jersey defines a Breach of Security as the, “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not be secured by encryption or by any other method of technology that renders the personal information unreadable or unusable.”

Delaware’s statute is slightly different, defining a breach of the security of the system as “the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or commercial entity.”

What are the Notice Requirements?

The Pennsylvania, New Jersey and Delaware statutes require notice to be provided “without unreasonable delay,” but do allow time to conduct an investigation of the incident. How notification of the breach must be provided depends on the entity’s contact information for the individual and the number of individuals affected.

All three state statutes allow notice to be provided by 1) letter sent to the last known address for the individual and 2) email, if prior to the incident the entity had the individual’s email address and had a business relationship. Delaware and Pennsylvania permit notification by telephone; however, Pennsylvania places several requirements on the content of the communication (see Part One of this series for more information). Alternate notification options vary among the states.

Under the New Jersey law, substitute notice is permissible if 1) the cost of providing notice is more than $250,000 or 2) more than 500,000 individuals must be notified, or 3) the entity has insufficient contact information. Delaware permits substitute if 1) if the cost of notice is more than $75,000 or 2) the number of individuals to be contacted in greater than 100,000, or 3) the entity has insufficient contact information.

In all instances, substitute notice must include ALL of the following: 1) email if an address is available, 2) conspicuous posting on entity’s website (if the entity maintains a website), and 3) notification to statewide media.

Finally, if notification is required to more than 1,000 individuals, the entity is required to notify all national consumer-reporting agencies, as defined by Section 603 of the Fair Credit Reporting Act.

Next Step


Employers who store personal information electronically are encouraged to review Privacy and Security Policies to ensure compliance with applicable state law.

Topics: MyEnroll360 Security


Recent Posts

Question of the Week - Mid-Year Enrollment for Health Coverage

read more

OCR Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information

read more

Find your QELs in MyEnroll360

read more