For purposes of this chapter:
(1) “Breach of security” means as follows:
a. The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Good faith acquisition of personal information by an employee or agent of any person for the purposes of such person is not a breach of security, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.
b. The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information is not a breach of security to the extent that personal information contained therein is encrypted, unless such unauthorized acquisition includes, or is reasonably believed to include, the encryption key and the person that owns or licenses the encrypted information has a reasonable belief that the encryption key could render that personal information readable or useable.
(2) “Determination of the breach of security” means the point in time at which a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.
(3) “Encrypted” means personal information that is rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.
(4) “Encryption key” means the confidential key or process designed to render the encrypted personal information useable, readable, and decipherable.
(5) Notice’' means any of the following:
a. Written notice.
b. Telephonic notice.
c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code or if the person’s primary means of communication with the resident is by electronic means.
d. Substitute notice, if the person required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000, or that the affected number of Delaware residents to be notified exceeds 100,000 residents, or that the person does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
1. Electronic notice if the person has email addresses for the members of the affected class of Delaware residents.
2. Conspicuous posting of the notice on a website page of the person if the person maintains 1 or more website pages.
3. Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.
(6) “Person” means an individual; corporation; business trust; estate trust; partnership; limited liability company; association; joint venture; government; governmental subdivision, agency, or instrumentality; public corporation; or any other legal or commercial entity.
(7) a. Personal information’' means a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual:
1. Social Security number.
2. Driver’s license number or state or federal identification card number.
3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
4. Passport number.
5. A username or email address, in combination with a password or security question and answer that would permit access to an online account.
6. Medical history, medical treatment by a health-care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile.
7. Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person..
8. Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes.
9. An individual taxpayer identification number.
b. Personal information’' does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely-distributed media.
75 Del. Laws, c. 61, § 1; 81 Del. Laws, c. 129, § 1; 81 Del. Laws, c. 425, § 1.