The Weekly Breach Breakdown Podcast by ITRC - State Privacy Laws in Action - S6E5

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC’s) Weekly Breach Breakdown for February 14, 2025. I’m Timothy Walden. Thanks to SentiLink for their support of the ITRC and this podcast. Each week on this podcast, we look at the most recent events and trends related to data security and privacy. Today, we’ll focus on the Delaware data privacy law and a recent shift in data breach accountability, particularly how states are stepping up to ensure companies are held responsible for protecting your personal information.  

 As many of you know, states have been leading the way in privacy and data protection, especially as the federal government has yet to pass a nationwide privacy law. Twenty (20) states have now enacted their own data privacy laws, making it clear that local governments are taking the security of their residents’ data seriously.  

 One of the most recent—and significant—moves comes from Delaware. As of January 2025, Delaware can now enforce a 2023 law that gives the state’s Attorney General the power to take action following a data breach. This means that if a company experiences a breach, the Attorney General can now investigate and potentially enforce penalties if the company fails to meet data protection standards.   

Like the legislation passed in other states, the Delaware data privacy law is important because it helps fill a gap that existed because of the absence of a comprehensive federal data privacy and security law. While there are various data breach laws and regulations on the books, enforcement has often been left up to the companies to manage. The Delaware privacy law is an example of how states are actively seeking to hold businesses accountable for failing to protect sensitive consumer information.  

 Delaware is not the first state to take action. Texas and New York have also been active. In Texas, for example, the state Attorney General has been investigating companies when they fail to provide sufficient notice or adequate consumer data protection. The Texas Data Privacy Act (TDPA) enables the state to take enforcement actions for violations of the TDPA, including fines and other penalties for failing to take proper steps to safeguard personal information.  

 Meanwhile, New York’s approach has been similarly stringent. Their data privacy regulations require businesses to implement strong security measures and notify consumers promptly when their data has been compromised. The New York State Department of Financial Services has fined companies for noncompliance with these regulations, sending a clear message that state authorities are serious about privacy.  

 These state-level actions are an important reminder that companies can’t just hope for the best regarding data security. States like Delaware, Texas and New York are ensuring that companies are held accountable, whether that means paying fines, improving security practices, or compensating those harmed by breaches – or all of the above.  

 With 30 states and U.S. territories yet to pass a data privacy and security law, other states will likely follow, creating a patchwork of privacy regulations nationwide. This decentralized approach makes it critical that businesses stay on top of data protection laws in every state where they operate or have customers.  

 If you want to know more about how to protect your business or personal information, the Delaware data privacy law or if you think you’ve been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, text, chat live on the web or exchange emails during our regular business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.  

Thanks to SentiLink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. We will return next week with another episode of the Weekly Breach Breakdown. I'm Tim Walden; until then, thanks for listening.