KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Delaware

HB381 • 2025

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Griffith
Last action
2026-05-21
Official status
Senate Banking, Business, Insurance & Technology 5/21/26
Effective date
Not listed

Plain English Breakdown

The official source material does not provide details on federal law requirements or specific allowances for delays due to law enforcement requests. It also lacks information about penalties and enforcement mechanisms.

Computer Security Breach Notification Requirements

The bill updates Delaware's laws about computer security breaches, specifying that businesses must notify the state's top lawyer (Attorney General) without unreasonable delay but no later than 60 days after discovering a breach.

What This Bill Does

  • Clarifies that businesses must notify the Attorney General of a computer security breach without unreasonable delay but not later than 60 days after determining the breach occurred.

Who It Names or Affects

  • Businesses that experience computer security breaches involving personal information of Delaware residents.
  • The Attorney General of Delaware who will receive notifications about these breaches.

Terms To Know

Notice
A communication sent to the Attorney General or affected individuals when a breach is discovered, which can be in writing, by phone, electronically, or through substitute methods if certain conditions are met.

Limits and Unknowns

  • The bill does not specify what happens if businesses fail to comply with the notification requirements.
  • It is unclear how this act will be enforced or what penalties might apply for non-compliance.
  • The exact date when the new provisions become effective has not been determined.

Bill History

  1. 2026-05-21 Delaware General Assembly

    Passed By House. Votes: 39 YES 2 ABSENT

  2. 2026-05-21 Delaware General Assembly

    Assigned to Banking, Business, Insurance & Technology Committee in Senate

  3. 2026-04-21 Delaware General Assembly

    Reported Out of Committee (Technology & Telecommunications) in House with 6 On Its Merits

  4. 2026-04-16 Delaware General Assembly

    Introduced and Assigned to Technology & Telecommunications Committee in House

Official Summary Text

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.
This Act amends Chapter 12B of Title 6 relating to Computer Security Breaches to clarify when businesses must provide notice of a computer security breach to the Attorney General.

Current Bill Text

Read the full stored bill text 
Legislation Document

SPONSOR:

Rep. Griffith & Sen. Pinkney

Reps. Osienski, K. Johnson, Morrison; Sen. Walsh

HOUSE OF REPRESENTATIVES

153rd GENERAL ASSEMBLY

HOUSE BILL NO. 381

AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO COMPUTER SECURITY BREACHES.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF DELAWARE:

Section 1. Amend Chapter 12B, Subtitle II, Title 6 of the Delaware Code by making deletions as shown by strike through and insertions as shown by underline as follows:

§ 12B-101. Definitions.

For purposes of this chapter:

(5) “Notice” means any of the following:

a. Written notice.

b. Telephonic notice.

c. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 7001 of Title 15 of the United States Code or if the person’s primary means of communication with the resident is by electronic means.

d. Substitute notice, if the person required to provide notice under this chapter demonstrates that the cost of providing notice will exceed $75,000, or that the affected number of Delaware residents to be notified exceeds 100,000 residents, or that the person does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:

1. Electronic notice if the person has email addresses for the members of the affected class of Delaware residents.

2. Conspicuous posting of the notice on a website page of the person if the person maintains 1 or more website pages.

3. Notice to major statewide media, including newspapers, radio, and television and publication on the major social media platforms of the person providing notice.

4. Notice of the breach of security to the Attorney General.

§ 12B-102. Disclosure of breach of security; notice.

(c) Notice required by subsection (a) of this section must be made without unreasonable delay but not later than 60 days after determination of the breach of security, except in the following situations:

(1) A shorter time is required under federal law.

(2) A law-enforcement agency determines that the notice will impede a criminal investigation and such law-enforcement agency has made a request of the person that the notice be delayed. Any such delayed notice must be made after such law-enforcement agency determines that notice will not compromise the criminal investigation and so notifies the person of such determination.

(3) When a person otherwise required by subsection (a) of this section to provide notice, could not, through reasonable diligence, identify within 60 days that the personal information of certain residents of this State was included in a breach of security, such person must provide the notice required by subsection (a) of this section to such residents as soon as practicable after the determination that the breach of security included the personal information of such residents,

and must provide notice of the breach of security to the Attorney General within 60 days after the determination of the breach of security,

unless such person provides or has provided substitute notice in accordance with § 12B-101(5)d. of this

title.

title within 60 days after the determination of the breach of security.

§ 12B-103. Procedures deemed in compliance with security breach notice requirements.

(b) Under this chapter, a person that is regulated by state or federal law, including the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191, as amended) and the Gramm Leach Bliley Act (15 U.S.C. § 6801 et seq., as amended) and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with

this chapter

§ 12B-102(c) of this title

if the person notifies affected Delaware residents in accordance with the maintained procedures when a breach of security occurs.

SYNOPSIS

This Act amends Chapter 12B of Title 6 relating to Computer Security Breaches to clarify when businesses must provide notice of a computer security breach to the Attorney General.