Data Breach Response: The Difference Between a Fine and a Warning

If you receive a call from John Eakins, Deputy Attorney General of Delaware, after filing a data breach notice with the state, you know there’s a problem. The information security team’s next steps could mean the difference between facing a hefty fine or receiving a warning, along with your reputation intact.

Delaware Personal Data Privacy Act (DPDPA) Enforcement

Delaware Deputy Attorney General Eakins is in charge of enforcing the new state regulations under the Delaware Personal Data Privacy Act (DPDPA), which was first passed by lawmakers in 2023 and is now coming into effect on January 1. He states that organizations operating in Delaware should expect a call from his office after reporting a major breach. Then, he will want to drill down on two specific criteria: the harm caused and whether it can be fixed.

Establishing a Strong Framework

Eakins emphasizes that organizations should expect to be asked to provide information on the settlement reached with Marriott, which includes having a comprehensive information security program in place, minimizing the amount of data collected, and disposal requirements. This is a strong starting framework for organizations to follow. The baseline technical requirements established out of the multistate Marriott settlement include having a comprehensive information security program in place, minimizing the amount of data collected, and disposal requirements, as well as supply chain oversight. This is a good place for organizations to start.

A New Era of Data Protection

Moving forward, Kaltsounis expects to see a "friendly competition" emerge among states to demonstrate the strongest data protection stance on behalf of their citizens. Staffed-up offices of state regulators armed with a mandate and fresh budgets are likely to become a standard fixture in the aftermath of a data breach.

Preparing for the Call

When they call, what story will you have to tell them?