Delaware Data Breach Notification Laws: Reporting Rules & Timelines (2026)

When a business suffers a data breach that exposes Delaware residents' personal information, state law imposes strict notification obligations. Delaware's Computer Security Breaches statute, Del. Code tit. 6, Ch. 12B, requires prompt notification to affected individuals, and in larger breaches, to the Attorney General. Originally enacted in 2005, the law received a major overhaul through HB 180 (81 Del. Laws, c. 129) in 2017, which tightened deadlines, expanded the definition of personal information, and added the AG notification requirement.

This guide covers who must comply, what triggers notification, the timeline and content requirements, enforcement, and how the 2025 [Delaware Personal Data Privacy Act](https://delcode.delaware.gov/title6/c012d/index.html) (DPDPA) interacts with breach obligations.

Who Must Comply With Delaware's Breach Notification Law

The law applies to any person that conducts business in Delaware and owns, licenses, or maintains computerized data containing personal information of Delaware residents. "Person" is defined broadly under Section 12B-101(6) and includes individuals, corporations, LLCs, partnerships, trusts, joint ventures, government agencies, and any other legal or commercial entity.

Delaware uses two distinct compliance tiers. Data owners and licensees carry the direct notification duty. Third-party data maintainers (such as cloud hosting providers or payment processors) must notify and cooperate with the data owner immediately after discovering a breach, sharing all information relevant to the incident.

Entities with Separate Compliance Frameworks

Section 12B-103 provides that entities regulated under federal law, including those governed by HIPAA or the Gramm-Leach-Bliley Act, satisfy Delaware's requirements if they follow their federal regulator's breach notification procedures and notify affected Delaware residents accordingly.

Similarly, any business that maintains its own breach notification procedures as part of an information security policy can comply by following those internal procedures, as long as the timing aligns with Delaware's 60-day deadline.

What Qualifies as a Breach of Security

Under Section 12B-101(1), a breach of security is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information.

The statute includes a good faith exception. If an employee or agent acquires personal information as part of their legitimate job duties, that does not constitute a breach, provided the data is not used for an unauthorized purpose or disclosed further without authorization.

The Encryption Safe Harbor

Delaware provides a clear safe harbor for encrypted data. A breach does not trigger notification obligations if the compromised personal information was encrypted, unless the unauthorized party also acquired (or is reasonably believed to have acquired) the encryption key.

This means businesses that encrypt personal information at rest and in transit can avoid notification requirements, but only if the encryption keys remain secure. If both the encrypted data and the key are compromised, the full notification obligations apply.

Personal Information That Triggers Notification

Delaware has one of the more comprehensive definitions of personal information among state breach notification laws. Under Section 12B-101(7), personal information means a Delaware resident's first name or first initial and last name combined with any one or more of the following:

• Social Security number
• Driver's license number or state/federal identification card number
• Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit account access
• Passport number
• Username or email address, combined with a password or security question and answer that would permit access to an online account
• Medical history, medical treatment by a healthcare professional, diagnosis of a mental or physical condition, or DNA profile
• Health insurance policy number, subscriber identification number, or other unique health insurer identifier
• Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes
• Individual taxpayer identification number

Personal information does not include publicly available information lawfully obtained from federal, state, or local government records or widely distributed media.

DPDPA Expands Biometric Protections

The Delaware Personal Data Privacy Act, effective January 1, 2025, classifies biometric data as sensitive personal data under Section 12D-102(30). This means businesses must obtain affirmative consent before collecting biometric data, and a breach involving such data triggers both notification under Chapter 12B and potential enforcement under the DPDPA. For more on how Delaware regulates biometric data, see our guide to Delaware biometric privacy law.

Notification Timeline and Requirements

The 60-Day Deadline

Delaware imposes a firm 60-day notification deadline. Under Section 12B-102(c), notice must be provided without unreasonable delay and no later than 60 days after the business determines a breach has occurred.

The clock starts at the "determination of the breach," which Section 12B-101(2) defines as the point when the data holder has sufficient evidence to conclude a breach took place. The investigation period before that determination does not count against the 60 days.

Exceptions to the 60-Day Rule

Three situations can modify the timeline:

1. Federal law requires a shorter deadline. If another applicable federal regulation mandates faster notification, the business must meet that stricter deadline.

2. Law enforcement delay. A law enforcement agency can request a delay if notification would impede a criminal investigation. The business must notify affected individuals as soon as law enforcement confirms the notification will no longer compromise the investigation.

3. Extended identification period. If a business cannot identify all affected Delaware residents within 60 days despite reasonable diligence, it must notify those individuals as soon as practicable after identification, or provide substitute notice in the meantime.

Methods of Notification

Section 12B-101(5) allows four notification methods:

• Written notice sent to the affected individual
• Telephonic notice delivered directly
• Electronic notice, if consistent with federal E-SIGN Act requirements or if email is the primary communication channel with the individual
• Substitute notice, available when notification costs exceed $75,000, more than 100,000 Delaware residents are affected, or the business lacks sufficient contact information

Substitute notice requires all three of the following: email notification (if addresses are available), conspicuous posting on the company's website, and notice to major statewide media outlets including newspapers, radio, television, and the company's major social media platforms.

Special Rule for Email Credential Breaches

When a breach involves login credentials for an email account provided by the breached entity, the business cannot send the notification to that compromised email address. Instead, it must use another approved method or deliver a clear, conspicuous notice when the resident logs into the account from a recognized IP address or location.

Attorney General Notification

Under Section 12B-102(d), when a breach affects 500 or more Delaware residents, the business must notify the Delaware Attorney General no later than the time individual notifications are sent. The AG notification goes to the Fraud and Consumer Protection Division, which maintains a public page tracking reported breaches.

Credit Monitoring for SSN Breaches

When a breach involves Social Security numbers, Section 12B-102(e) requires the breached entity to offer free credit monitoring services for one year to every affected resident. The business must also provide instructions on how to place a credit freeze. This obligation does not apply if an appropriate investigation determines the breach is unlikely to cause harm.

Data Security Obligation

Beyond notification, Section 12B-100 imposes a standalone duty on any person conducting business in Delaware to implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information. This security requirement applies independently of any breach event.

Enforcement and Penalties

Attorney General Enforcement

The Delaware Attorney General enforces Chapter 12B through the Consumer Protection Division under Section 12B-104. The AG can bring an action in law or equity to address violations and recover direct economic damages resulting from noncompliance.

No Private Right of Action

Delaware's breach notification law does not create a private right of action. Individual consumers cannot sue businesses directly for failing to comply with the notification requirements. However, Section 12B-104(b) preserves any existing rights individuals may have under common law, other statutes, or other legal theories.

DPDPA Enforcement Overlap

The DPDPA, effective January 1, 2025, gives the Attorney General additional enforcement authority over data privacy violations. If a breach results from inadequate data protection practices, the AG could pursue enforcement under both Chapter 12B (breach notification) and Chapter 12D (privacy violations), with DPDPA penalties reaching up to $10,000 per violation.

How Delaware Compares to Neighboring States

Delaware's 60-day notification deadline places it in the middle of the pack nationally. Some states, like Florida, impose 30-day deadlines. Others have no specific deadline and require only that notice occur in a "reasonable" time.

Delaware stands out for its broad definition of personal information, which includes nine categories of protected data. The credit monitoring requirement for SSN breaches also goes beyond what many states mandate.

For a broader view of how Delaware handles data privacy, see our Delaware Data Privacy Laws overview.

More Delaware Laws

• Delaware Recording Laws
• Delaware Recording Laws
• Delaware Recording Laws
• Delaware Data Privacy Laws
• Delaware Recording Laws
• Delaware Recording Laws
• Delaware Recording Laws
• Delaware Recording Laws

Sources and References

This article draws from the following official Delaware government sources:

• Del. Code tit. 6, Ch. 12B (Computer Security Breaches) - Full text of Delaware's data breach notification statute
• Del. Code tit. 6, Ch. 12D (Delaware Personal Data Privacy Act) - Comprehensive data privacy law effective January 1, 2025
• Delaware Attorney General: Data Security Breaches - AG's breach notification guidance and reporting portal
• 81 Del. Laws, c. 129 (HB 180, 2017) - Major amendment that established the 60-day deadline and expanded protections

This article provides general legal information about Delaware data breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Delaware for guidance specific to your situation.