Virginia amended its data breach notification law effective July 1, adding a requirement that employers or payroll service providers give notice to the Attorney General's office if payroll information is compromised. Delaware likewise amended its data breach notification law. Among other requirements, the law expands the definition of "personal information" to include medical history, health insurance policy numbers, and unique biometric data. It also requires, subject to certain exceptions, that the data collector notify the Delaware Attorney General if the affected number of residents exceeds 500 and that notice be made no later than 60 days after the data breach. Finally, if the data breach included a Social Security number, the data collector must offer, at no cost to the Delaware resident, credit monitoring services for a period of one year. The amendment becomes effective on April 14, 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.