Back to Delaware

HB381 • 2025

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Griffith
Last action
2026-06-25
Official status
Passed 6/25/26
Effective date
Not listed

Plain English Breakdown

The official text confirms the bill passed both chambers but does not show if it has been signed by the Governor yet, so an effective date is unknown.

HB381: Updating Rules for Reporting Data Breaches in Delaware

This bill updates state laws to explain exactly how and when businesses must tell people and the Attorney General if a computer security breach happens.

What This Bill Does

  • Defines different ways companies can send notice, including written letters, phone calls, or electronic messages.
  • Allows 'substitute notice' through websites, media ads, and social media if sending individual notices costs more than $75,000, affects over 100,000 people, or contact information is missing.
  • Requires businesses to tell the Attorney General about a breach within 60 days of finding out it happened.
  • Permits delaying public notice if law enforcement says telling people would hurt a criminal investigation.
  • States that companies already following federal rules for data breaches meet these state requirements.

Who It Names or Affects

  • Businesses and organizations holding personal information of Delaware residents
  • The Office of the Attorney General

Terms To Know

Computer Security Breach
An incident where unauthorized people access or take personal information stored on a computer system.
Substitute Notice
A way to tell many people about a breach using websites, news media, and social media instead of sending individual letters. This is allowed only when costs are very high, contact info is missing, or over 100,000 residents are affected.

Limits and Unknowns

  • The bill does not say what happens if a business fails to follow these rules.
  • It amends existing definitions in Chapter 12B but does not list the specific types of personal information that trigger notice requirements within this text.

Bill History

  1. 2026-06-25 Delaware General Assembly

    Passed By Senate. Votes: 21 YES

  2. 2026-06-17 Delaware General Assembly

    Reported Out of Committee (Banking, Business, Insurance & Technology) in Senate with 8 On Its Merits

  3. 2026-05-21 Delaware General Assembly

    Passed By House. Votes: 39 YES 2 ABSENT

  4. 2026-05-21 Delaware General Assembly

    Assigned to Banking, Business, Insurance & Technology Committee in Senate

  5. 2026-04-21 Delaware General Assembly

    Reported Out of Committee (Technology & Telecommunications) in House with 6 On Its Merits

  6. 2026-04-16 Delaware General Assembly

    Introduced and Assigned to Technology & Telecommunications Committee in House

Official Summary Text

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.
This Act amends Chapter 12B of Title 6 relating to Computer Security Breaches to clarify when businesses must provide notice of a computer security breach to the Attorney General.

Current Bill Text

Read the full stored bill text
Legislation Document

SPONSOR:

Rep. Griffith & Sen. Pinkney

Reps. Osienski, K. Johnson, Morrison, Harris; Sen. Walsh

HOUSE OF REPRESENTATIVES

153rd GENERAL ASSEMBLY

HOUSE BILL NO. 381

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:

Section 1. Amend Chapter 12B, Subtitle II, Title 6 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:

§ 12B-101. Definitions.

For purposes of this chapter:

(5) “Notice” means any of the following:

a. Written notice.

b. Telephonic notice.

c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code or if the person’s primary means of communication with the resident is by electronic means.

d. Substitute notice, if the person required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000, or that the affected number of Delaware residents to be notified exceeds 100,000 residents, or that the person does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:

1. Electronic notice if the person has email addresses for the members of the affected class of Delaware residents.

2. Conspicuous posting of the notice on a website page of the person if the person maintains 1 or more website pages.

3. Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.

4. Notice of the breach of security to the Attorney General.

§ 12B-102. Disclosure of breach of security; notice.

(c) Notice required by subsection (a) of this section must be made without unreasonable delay but not later than 60 days after determination of the breach of security, except in the following situations:

(1) A shorter time is required under federal law.

(2) A law-enforcement agency determines that the notice will impede a criminal investigation and such law-enforcement agency has made a request of the person that the notice be delayed. Any such delayed notice must be made after such law-enforcement agency determines that notice will not compromise the criminal investigation and so notifies the person of such determination.

(3) When a person otherwise required by subsection (a) of this section to provide notice, could not, through reasonable diligence, identify within 60 days that the personal information of certain residents of this State was included in a breach of security, such person must provide the notice required by subsection (a) of this section to such residents as soon as practicable after the determination that the breach of security included the personal information of such residents,

and must provide notice of the breach of security to the Attorney General within 60 days after the determination of the breach of security,

unless such person provides or has provided substitute notice in accordance with § 12B-101(5)d. of this

title.

title within 60 days after the determination of the breach of security.

§ 12B-103. Procedures deemed in compliance with security breach notice requirements.

(b) Under this chapter, a person that is regulated by state or federal law, including the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, as amended) and the Gramm Leach Bliley Act (15 U.S.C. § 6801 et seq., as amended) and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with

this chapter

§ 12B-102(c) of this title

if the person notifies affected Delaware residents in accordance with the maintained procedures when a breach of security occurs.

SYNOPSIS

This Act amends Chapter 12B of Title 6 relating to Computer Security Breaches to clarify when businesses must provide notice of a computer security breach to the Attorney General.