← All US breach laws·DE

Delaware data breach notification law

Delaware's data breach notification requirements under 6 Del. C. §§12B-101 to 12B-104. Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
6 Del. C. §§12B-101 to 12B-104
Enforcer
Delaware Attorney General
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
Without unreasonable delay, but no later than 60 days after determination of breach
Notify the state regulator
Yes — written notice to the AG if breach affects more than 500 Delaware residents
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification not required if, after appropriate investigation, the breach is not reasonably likely to result in harm
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Delaware law

First name/initial + last name with SSN, DL/state ID, financial account + access code, passport, medical info, health-insurance info, biometric data, DNA profile, taxpayer ID, military ID, OR username/email + password/security Q&A

Penalties and enforcement

Civil action by AG under Consumer Fraud Act; injunctive relief and restitution
Enforced by: Delaware Attorney General. Official regulator page →

Common pitfalls

Delaware was the first US state to require free credit monitoring if SSN was breached — must offer 1 year at no cost

Frequently asked questions

How long do I have to notify Delaware residents after a data breach?
Without unreasonable delay, but no later than 60 days after determination of breach
Do I have to notify the Delaware Attorney General?
Yes — written notice to the AG if breach affects more than 500 Delaware residents
Does Delaware require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from Delaware's breach notification requirement?
Yes — Delaware has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Delaware residents sue me directly for a data breach?
No — Delaware's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Delaware law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, passport, medical info, health-insurance info, biometric data, DNA profile, taxpayer ID, military ID, OR username/email + password/security Q&A
What are the penalties for failing to comply with Delaware's breach notification law?
Civil action by AG under Consumer Fraud Act; injunctive relief and restitution

Related state breach laws

Colorado (CO)
Colo. Rev. Stat. §6-1-716
Connecticut (CT)
Conn. Gen. Stat. §36a-701b
District of Columbia (DC)
D.C. Code §§28-3851 to 28-3853
Florida (FL)
Fla. Stat. §501.171

Pre-empt the Delaware breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Delaware's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit