Forty-eight states have enacted data breach notification laws, and they frequently are amended and updated. The most recent state to update its law is Delaware.

A significant change in the new law is that Delaware residents who are affected by a data breach of their personal information must be offered 12 months of free credit monitoring. In addition, those affected by a breach must be notified of the incident as soon as possible, but no later than 60 days after the discovery of the breach.

Significantly, Delaware became the 14th state to require companies to adopt appropriate written security measures to protect sensitive information.

Delaware also expanded the definition of personal information for which notification is required to include usernames and email addresses in combination with a password or answers to security numbers, driver’s license numbers, mental health, physical condition, medical information, health insurance numbers, DNA information, unique biometric data and tax payer identification numbers.