Delaware businesses don’t need a “perfect” security program to be compliant—but they do need a reasonable, documented, consistently followed approach to protecting personal data and responding to incidents. 

In 2026, cybersecurity requirements for Delaware businesses increasingly come from a blend of Delaware breach-notification law, the Delaware Personal Data Privacy Act, and federal/industry rules that may apply depending on what you do (payments, healthcare, finance, insurance, etc.). 

The practical takeaway is simple: build a compliance-minded security baseline (policies + risk assessment + core controls), keep proof, and be ready to act quickly if something goes wrong.

This guide is written for Delaware SMBs, startups, nonprofits, and professional services organizations that handle customer data and want clear Delaware business cybersecurity compliance guidance. It is general guidance—not legal advice. Always confirm obligations with official sources and your counsel, especially for breach response.

Pro Tip: Treat compliance as “show your work.” In 2026, regulators and partners often care less about buzzwords and more about whether you can demonstrate reasonable safeguards, training, vendor oversight, and a tested incident response process.

What “cybersecurity compliance” means

Cybersecurity compliance is the set of legal, contractual, and industry obligations that require your organization to protect data, reduce risk, and respond appropriately to security incidents. For Delaware organizations, it typically means:

  • You implement reasonable administrative, technical, and physical safeguards for the data you handle (customer, patient, employee, donor, or financial information).
  • You maintain documentation (policies, risk assessments, training logs, vendor reviews, incident response plan) showing that safeguards exist and are being followed.
  • You can detect, respond, and recover from incidents—especially data breaches—without unnecessary delay.
  • You meet Delaware’s rules for notifying affected people and, in certain cases, notifying the state.

Compliance is not a single checklist that applies identically to every business. It depends on:

  • Data types (SSNs, payment card data, health data, account credentials, etc.).
  • Business model (retail POS vs. SaaS vs. professional services vs. nonprofit).
  • Regulatory scope (HIPAA, GLBA/FTC Safeguards Rule, PCI DSS, insurance-specific rules).
  • Vendor ecosystem (cloud, payment processors, IT providers, HR platforms).

Pro Tip: If you can’t explain your program to a non-technical leader in 5 minutes, it’s probably too complex for consistent execution. Keep policies short, controls practical, and evidence easy to produce.

Delaware-specific legal obligations in 2026

Delaware-specific legal obligations

Delaware’s biggest statewide cybersecurity obligations are (a) breach notification rules and (b) privacy law requirements for qualifying organizations.

Delaware data breach notification law: who it applies to and what triggers it

Delaware’s breach notification law applies broadly to any person or organization that conducts business in Delaware and owns or licenses computerized data that includes personal information about Delaware residents.

A key trigger is a “breach of security” involving personal information (generally unauthorized acquisition of certain personal information). 

Delaware also uses a harm threshold—meaning in some situations, after an appropriate investigation, an organization may determine the breach is unlikely to result in harm. That determination should be documented and defensible.

  • Timeline (critical): Notice to affected Delaware residents must be made without unreasonable delay and no later than 60 days after determination of the breach, subject to limited exceptions (e.g., law enforcement delay, shorter federal timeline).
  • Delaware Attorney General breach reporting: If the number of affected Delaware residents you must notify exceeds 500, you must also notify the Delaware Attorney General (not later than the time you provide resident notice). Delaware DOJ provides guidance and a notification intake process.
  • Credit monitoring: If the breach includes Social Security numbers, Delaware requires offering credit monitoring services at no cost for 1 year (with enrollment info and credit-freeze information), with limited exceptions.

Pro Tip: Start your “60-day clock” discipline early. Many teams lose time arguing about whether an incident is “real.” Build an internal rule: once you have a credible indication of unauthorized access to personal information, escalate to your incident lead and counsel immediately.

Delaware personal information definition: what counts in 2026

Your breach-notification obligations depend heavily on whether the data meets Delaware’s definition of “personal information.” While the statute contains detailed categories, Delaware generally treats personal information as certain data elements about a resident when combined with an identifier (and includes certain sensitive elements like credentials). 

Because the exact statutory wording matters, confirm the current definition in Delaware Code when assessing an incident. (Start with Title 6, Chapter 12B.)

A practical way to operationalize this is to maintain a data inventory of:

  • Customer identity data (name + government ID elements)
  • Financial account data
  • Online credentials (especially email account credentials and passwords)
  • Employee SSNs and payroll data
  • Patient health and insurance identifiers (if applicable)

Pro Tip: Maintain a “breach classifier” worksheet in your incident response plan: data type → Delaware personal information? → other regimes (HIPAA/GLBA/payment cards) → required notices.

Delaware Personal Data Privacy Act in 2026: what may apply to your organization

Delaware’s consumer privacy law—the Delaware Personal Data Privacy Act (DPDPA)—creates consumer rights and imposes duties on certain organizations (controllers/processors) that process personal data. Delaware Code Title 6, Chapter 12D is the authoritative text.

Key duties for covered organizations include maintaining reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data.

In 2026 specifically, note that Delaware’s law includes an obligation (by January 1, 2026) to allow opt-out via an opt-out preference signal for targeted advertising and/or sale of personal data under specified conditions.

Enforcement is handled by the Delaware Department of Justice (Attorney General), and the law includes provisions that affect how enforcement works over time (for example, cure-period language with a sunset). Confirm the current enforcement mechanics for 2026 in the statute and official Delaware DOJ guidance as it evolves.

Pro Tip: Even if you’re not sure you meet DPDPA thresholds, adopting its “data minimization + security safeguards + consumer request workflow” posture often improves your overall Delaware business cybersecurity compliance story for customers and investors.

Recordkeeping and documentation expectations: “prove it” readiness

Delaware statutes don’t always prescribe a single mandated binder, but in practice you should be able to produce:

  • A current incident response plan (and evidence it’s been tested)
  • Policies (access control, acceptable use, vendor management, backups)
  • Risk assessment outputs and prioritized remediation
  • Training completion logs
  • Vendor security review records (especially for processors/IT providers)
  • Breach investigation notes and harm analysis (when relevant)

This “evidence layer” is often what separates organizations that manage an incident smoothly from those that scramble.

Federal and industry rules Delaware businesses often fall under

Federal and industry rules Delaware businesses often fall under

Delaware law is only part of the picture. Many Delaware organizations are subject to additional requirements that are triggered by what data you handle and what services you provide.

PCI DSS for card payments (retail, restaurants, e-commerce)

If you accept payment cards, you’re typically required by card brands/acquirers to comply with PCI DSS. In 2026, PCI DSS v4.x expectations are firmly in place, including “future-dated” requirements that became effective March 31, 2025.

What this means operationally:

  • Even if you outsource payments to a hosted checkout page or a modern POS, you still have responsibilities (scope depends on your setup).
  • You must maintain secure configurations, patching, strong access controls, and monitoring around any systems in scope.
  • Many acquirers require annual SAQs and quarterly scans (as applicable).

Pro Tip: PCI compliance does not replace Delaware breach-notification duties. If a compromise involves Delaware “personal information” (or other regulated data), you may have Delaware notification obligations even if your PCI obligations are being handled by vendors.

HIPAA (healthcare providers, clinics, certain apps, and business associates)

If you’re a HIPAA covered entity or business associate, HIPAA’s Security Rule requires administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).

HIPAA also emphasizes policies and procedures and documentation requirements, which align well with compliance-grade cybersecurity basics.

If you’re in healthcare, build your program around:

  • Risk analysis and risk management
  • Access control and audit controls
  • Workforce training and incident procedures

HHS also provides specific guidance on incidents like ransomware, reinforcing expectations for security incident procedures and response.

GLBA and the FTC Safeguards Rule (financial institutions and some adjacent businesses)

Organizations that qualify as “financial institutions” under GLBA (as interpreted in FTC jurisdiction) must comply with the Safeguards Rule, which requires development, implementation, and maintenance of an information security program. The rule text is codified in 16 CFR Part 314.

The FTC has also continued issuing guidance and updates, including changes requiring certain covered entities to report particular security incidents to the FTC (separate from Delaware notification rules).

Pro Tip: Many professional services firms (tax prep, some advisory services) can accidentally fall into GLBA/FTC territory depending on services offered and data handled. Confirm scope early—don’t wait for a client questionnaire to surprise you.

Insurance-sector cybersecurity (if you’re a regulated “licensee”)

If you’re a licensee under Delaware’s insurance code, Delaware has specific cybersecurity requirements and reporting obligations under Title 18, Chapter 86 (Insurance Data Security Act).

This regime focuses on maintaining an information security program and specific notification requirements to the insurance commissioner and others, and it can be “exclusive” for that sector in Delaware.

Core compliance controls every Delaware company should implement

Core compliance controls every Delaware company should implement

If you want a practical “reasonable safeguards” baseline for 2026, these controls cover most Delaware business cybersecurity compliance expectations across laws, customer contracts, and insurer questionnaires.

Governance, policies, and a written information security program (WISP)

A written information security program (WISP) is not just a big-company formality. It’s how you translate “reasonable safeguards” into operational reality. For many organizations, especially those subject to GLBA/FTC or insurance rules, some form of documented security program is a must-have.

A right-sized WISP typically includes:

  • Scope (systems, data, locations, vendors)
  • Roles and responsibilities (security owner, incident lead, IT admin, HR)
  • Risk assessment process and review cadence
  • Minimum security standards (MFA, encryption, patching, backups)
  • Vendor risk management approach
  • Incident response and reporting workflow
  • Training requirements

Avoid creating a WISP that no one reads. Make it 10–20 pages for SMBs, with linked procedures and checklists.

Pro Tip: Put one executive name on the line. Assign a single accountable owner (even if they delegate execution). Compliance programs fail when ownership is “everyone.”

Risk assessment: the compliance engine

A risk assessment is the engine of a defensible program. It helps you decide what “reasonable” means for your business. For most SMBs, a practical approach is:

  • Identify critical systems and data (payment, HR, production, customer CRM, patient systems)
  • Identify top threats (phishing, ransomware, vendor compromise, lost devices)
  • Evaluate current controls and gaps
  • Prioritize remediation by impact and likelihood
  • Track completion and reassess on a schedule (at least annually, and after major changes)

If you’re covered by HIPAA, “risk analysis” is explicitly central to compliance.
If you’re under GLBA/FTC Safeguards, your program must be “appropriate to size and complexity” and based on risk.

Access control + MFA (multi-factor authentication)

For 2026, MFA is one of the most consistently expected controls across:

  • Insurer questionnaires
  • Customer security reviews
  • Common compliance frameworks
  • “Reasonable safeguards” arguments

Implement MFA for:

  • Email (Microsoft 365/Google Workspace)
  • VPN/remote access
  • Cloud admin accounts
  • Finance systems (banking, payroll)
  • Code repositories and production dashboards
  • Any privileged/administrator access

Also implement:

  • Unique accounts (no shared logins)
  • Least privilege (only the access people need)
  • Quarterly access reviews for critical systems

Pro Tip: Start with email MFA first. Email compromise is still a top path to wire fraud, invoice fraud, and ransomware.

Encryption at rest and in transit + secure backups

Encryption reduces breach impact and strengthens defensibility:

  • In transit: TLS for web apps, secure email configurations, VPN where appropriate
  • At rest: device encryption (laptops), encrypted cloud storage, encrypted databases where feasible

Backups are your ransomware survival kit:

  • Follow a 3-2-1 mindset (multiple copies, different media, one offline/immutable)
  • Test restores at least quarterly
  • Protect backup credentials with MFA and separate admin roles

HIPAA guidance on ransomware emphasizes incident procedures and response planning, reinforcing the need for resilience and recovery readiness.

Endpoint protection, vulnerability management, and patching

A compliance-friendly vulnerability management program includes:

  • Asset inventory (know what you have)
  • Regular patching cadence (e.g., weekly for critical, monthly for standard)
  • Prioritized remediation for critical vulnerabilities
  • Endpoint protection/EDR on laptops and servers
  • Email anti-phishing controls (SPF/DKIM/DMARC where feasible)

The “proof” artifacts matter: patch reports, change tickets, vulnerability scan summaries, and exception tracking.

Logging, monitoring, and SIEM-lite approaches

Not every SMB needs a full SIEM, but every SMB needs some monitoring:

  • Centralize key logs where feasible (cloud audit logs, endpoint alerts, firewall logs)
  • Turn on alerting for suspicious sign-ins, admin changes, and mass data exports
  • Keep logs long enough to investigate (90 days is a common minimum starting point; longer is better for incident reconstruction)

If you’re a SaaS provider, investors and customers often ask about log retention, detection, and incident response maturity.

Incident response plan + tabletop exercises

Your incident response plan should define:

  • What counts as an incident
  • How to escalate and who leads
  • Communication channels (including a non-email backup)
  • Vendor contacts (forensics, cyber insurance hotline, outside counsel, MSP)
  • Decision points for Delaware notice obligations
  • Templates for internal updates and customer communications

Test it with a tabletop exercise at least annually. Tabletop outcomes become excellent audit evidence.

Vendor risk management / third-party security

Many breaches start with a vendor. Your program should include:

  • A vendor inventory (who touches what data)
  • Contract basics (security obligations, breach notification timing, subprocessor controls)
  • Minimum due diligence (SOC 2 reports when available, security questionnaire, or baseline attestations)
  • Periodic re-review for critical vendors

If you’re subject to DPDPA duties as a controller/processor, vendor and processor obligations become a direct compliance concern.

Pro Tip: Classify vendors into tiers. Apply the heaviest scrutiny only to vendors that store or can access sensitive data or production systems.

Compliance by business type: what “good” looks like in Delaware

Compliance by business type: what “good” looks like in Delaware

Different Delaware organizations face different threat profiles and compliance triggers. Below are practical compliance “profiles” for common business types.

Retail and restaurants (POS + PCI + operational resilience)

Retail and restaurants tend to be exposed through POS systems, employee turnover, and third-party integrations. Your focus areas should be:

  • PCI DSS scope reduction: Use reputable POS providers, tokenization, and hosted payment flows where possible (confirm your actual scope with your acquirer/QSA).
  • Access control discipline: Unique logins for POS back office, manager accounts, and remote support tools; MFA wherever available.
  • Network segmentation: Separate guest Wi-Fi from POS and business operations.
  • Patching cadence: POS software, routers, and any Windows devices must be kept current.
  • Incident readiness: Define what to do if you suspect skimming, POS malware, or unusual chargeback spikes.

PCI timelines matter in 2026 because PCI DSS v4.x requirements are in effect (with major requirements having become mandatory in 2025).

Pro Tip: If your POS vendor offers “remote support,” confirm how it’s secured (MFA, logging, and whether access is time-bound). Remote access is a common breach path in small retail environments.

Healthcare (HIPAA + vendors + ransomware preparedness)

Healthcare compliance is more formal because HIPAA requires documented safeguards and practices. Build around:

  • HIPAA Security Rule administrative/technical/physical safeguards and documentation practices.
  • Vendor controls: Business associate agreements (BAAs), vendor security reviews, and clear responsibilities.
  • Ransomware preparedness: tested backups, least privilege, MFA, endpoint detection, and incident procedures consistent with HHS guidance.
  • Secure communications: patient portals, encrypted messaging tools, and controlled access.

Healthcare entities often must coordinate multiple notification obligations (HIPAA breach notification rules plus state rules in certain cases). Keep a decision tree in your IR plan.

Professional services (law, accounting, consulting): confidentiality + client audits

Professional services firms often face client-driven security requirements even when laws are less explicit. Expect:

  • Client security questionnaires (MFA, encryption, training, incident response)
  • Contractual breach notification obligations (often faster than Delaware’s 60-day outer limit)
  • Secure file sharing and retention policies
  • Email security and anti-phishing controls
  • Strong vendor oversight for IT providers and cloud services

GLBA/FTC Safeguards may apply to certain services depending on the nature of financial activities and customer information handled. Confirm whether the Safeguards Rule applies to your practice area.

Pro Tip: Build a “client assurance packet”: a 2–3 page summary of your controls + your policies index + your incident-response contact email. It speeds up sales cycles and renewals.

E-commerce and SaaS: privacy program maturity + monitoring

E-commerce and SaaS organizations often have:

  • Larger volumes of personal data
  • API and application security concerns
  • Higher expectations from customers and investors

Focus areas:

  • Secure SDLC basics (code review, dependency scanning, vulnerability management)
  • Centralized logging and alerting for authentication anomalies and data exports
  • Data minimization and retention enforcement
  • Vendor/subprocessor transparency
  • Privacy requests workflow if you may be covered by DPDPA and must support consumer rights and opt-outs (including opt-out preference signals in 2026 where required).

Optional—but helpful—framework alignment:

  • SOC 2 (for customer trust) and/or ISO 27001 (for systematic ISMS maturity)

Employers handling HR data (SSNs, payroll, benefits)

Even if you “only” handle employee data, you may still have Delaware breach notification obligations if personal information is compromised.

Priorities:

  • MFA for payroll and HR systems
  • Role-based access control and quarterly access reviews
  • Secure onboarding/offboarding
  • Encryption for laptops and portable devices
  • Data retention/disposal procedures (don’t keep SSNs in shared folders forever)
  • Vendor reviews for payroll, benefits, and recruiting platforms

Delaware breach response playbook (step-by-step, compliance-minded)

When an incident occurs, your first goal is to stop the bleeding and preserve evidence, while starting a parallel track for compliance decisions.

Step 1: Containment and triage (first hours)

  • Activate your incident response plan and name an incident lead.
  • Preserve logs and evidence; avoid wiping systems prematurely.
  • Contain: disable compromised accounts, isolate affected hosts, block suspicious IPs, rotate keys if needed.
  • Start an incident timeline: who saw what, when, and what actions were taken.
  • Notify your cyber insurer early (if you have a policy) and follow policy requirements.

Pro Tip: Use an out-of-band channel (phone, secure chat) if you suspect email compromise. Attackers often monitor email after initial access.

Step 2: Forensics and scope (first 24–72 hours)

  • Determine what happened: phishing, exploited vulnerability, vendor compromise, lost device, etc.
  • Identify impacted systems and data categories.
  • Document whether Delaware “personal information” was involved (and whether it was encrypted).
  • If needed, engage qualified forensics (often via insurer panel or trusted firm).
  • Begin drafting decision memos: what you know, what you don’t know, what you’re doing next.

Delaware’s 60-day requirement runs from determination of the breach, so document the date of determination carefully and consistently.

Step 3: Notification decisions (Delaware + others)

For Delaware, key questions:

  • Does the incident involve Delaware residents’ personal information as defined by statute?
  • Does your investigation support a “unlikely to result in harm” conclusion? If so, document the basis carefully.
  • If notice is required: can you meet “without unreasonable delay” and within 60 days?
  • If >500 Delaware residents are notified, notify the Delaware Attorney General not later than the time you notify residents.
  • If SSNs are involved, prepare the required credit monitoring offer for 1 year (unless an exception applies).

Also check for:

  • Contractual notice timelines (often 24–72 hours in enterprise SaaS contracts)
  • Federal/industry obligations (HIPAA, GLBA/FTC reporting, PCI/brands, insurance commissioner if applicable)

Step 4: Customer communications (clear, factual, non-alarming)

A strong breach notice and customer communication plan:

  • States what happened (in plain language, without speculation)
  • States what information was involved (categories)
  • States what you did to contain and improve security
  • States what the recipient can do (password reset, fraud alert, credit freeze)
  • Provides a clear contact channel and a FAQ page

Delaware DOJ provides breach guidance and intake expectations for certain reporting scenarios.

Step 5: Recovery, hardening, and lessons learned (two weeks and beyond)

  • Restore from known-good backups; validate integrity before returning systems to production
  • Reset credentials comprehensively (especially privileged accounts)
  • Address root cause (patch, reconfigure, segment network, improve email security)
  • Conduct a lessons-learned review and update policies/training
  • Capture artifacts for compliance and insurance

Common audit, inspection, and “proof artifact” expectations

Even when you’re not facing a formal government audit, you’ll encounter compliance reviews from:

  • Enterprise customers (security questionnaires)
  • Payment providers/acquirers (PCI)
  • Investors (due diligence)
  • Cyber insurers (renewals)
  • Regulators (in certain sectors)

Here are the artifacts that most commonly matter.

Policy and program artifacts (what to show)

  • Written information security program (WISP) (or equivalent security policy set)
  • Incident response plan + tabletop exercise notes
  • Access control policy, MFA enforcement evidence, admin account list
  • Data retention and disposal policy
  • Vendor risk management policy + vendor inventory

If you’re subject to GLBA/FTC Safeguards, having a documented security program is central to compliance.
If you’re a Delaware insurance licensee, the insurance cybersecurity statute also emphasizes an information security program.

Operational evidence (what proves you actually do it)

  • Training completion logs and phishing simulations (if used)
  • Patch reports (monthly summaries, critical patch SLAs)
  • Vulnerability scan summaries + remediation tickets
  • Backup logs + restore test results
  • Access review records (quarterly for critical systems)
  • Incident tickets, timelines, and after-action reports

Pro Tip: Keep evidence in a single “Compliance Evidence” folder structure with consistent naming. The #1 SMB failure mode is evidence scattered across email, chat, and tribal knowledge.

Vendor evidence (especially for SaaS and regulated data)

  • SOC 2 reports (where available) or equivalent attestations
  • Vendor questionnaires and review notes
  • Contract clauses (security requirements, breach notification, subprocessors)
  • List of vendors with data access and data categories

For DPDPA-covered organizations, vendor/processor responsibilities are closely tied to statutory duties.

Common mistakes that cause noncompliance (and how to avoid them)

Here are the patterns that most often derail Delaware business cybersecurity compliance efforts:

Mistake 1: Treating compliance as “one-and-done”

Policies written once and never updated (or never followed) are a liability. Fix it by:

  • Scheduling annual policy reviews
  • Assigning owners per policy
  • Running at least one annual tabletop exercise

Mistake 2: Ignoring vendor risk until after a breach

Vendor issues become your incident when your customers are affected. Fix it by:

  • Tiering vendors (critical vs. non-critical)
  • Contracting for breach notification timing and cooperation
  • Reviewing critical vendors annually

Mistake 3: Underestimating identity risk (email compromise)

Email compromise can lead to wire fraud, payroll diversion, and credential stuffing. Fix it by:

  • Enforcing MFA for email and admin accounts
  • Using conditional access rules and suspicious sign-in alerts
  • Training staff on invoice and bank-change verification

Mistake 4: Patching “when we have time”

Attackers exploit known vulnerabilities quickly. Fix it by:

  • Setting patch SLAs (critical within 7–14 days, faster if internet-exposed)
  • Tracking exceptions with documented compensating controls

Mistake 5: No breach decision discipline (dates, determination, documentation)

Delaware’s notice deadline is tied to determination and requires notice within 60 days. If you can’t clearly explain your determination date and investigative steps, you lose credibility.

Fix it by:

  • Maintaining an incident timeline template
  • Assigning a documentation owner during incidents
  • Pre-building your “Delaware notice decision” worksheet

9) Practical tools you can implement now

This section gives you concrete, compliance-oriented tools you can apply without drowning in bureaucracy.

Sample policy outline (not a full legal template)

Use this as a minimum policy set outline for SMBs:

  1. Information Security Policy (WISP summary)
  2. Acceptable Use & Device Policy
  3. Access Control Policy (MFA, least privilege, account lifecycle)
  4. Data Classification + Data Handling
  5. Encryption + Key Management (high-level)
  6. Vulnerability Management & Patching
  7. Logging & Monitoring
  8. Incident Response Plan
  9. Backup & Disaster Recovery
  10. Vendor Risk Management
  11. Security Awareness & Training
  12. Data Retention and Secure Disposal

Pro Tip: Put “purpose + scope + minimum requirements + evidence” in every policy. Evidence is what makes policies compliance-ready.

Minimum viable security checklist for Delaware SMBs

If you want a baseline that supports cybersecurity requirements for Delaware businesses in 2026, start here:

Identity & access

  • MFA on email, payroll/finance, admin consoles, remote access
  • Unique accounts (no shared admin logins)
  • Quarterly access reviews for critical systems
  • Offboarding checklist completed within 24 hours for departures

Device & network

  • Full-disk encryption on laptops
  • Endpoint protection/EDR enabled
  • Separate guest Wi-Fi from business/POS networks
  • Secure remote access (no open RDP to the internet)

Data protection

  • Encryption in transit (TLS) for websites/apps
  • Secure backups (at least one offline/immutable copy)
  • Restore test performed at least quarterly
  • Data retention and disposal rules defined and followed

Vulnerability management

  • Monthly patching; critical patch SLA defined
  • Vulnerability scans (internal cadence; external if required by PCI)
  • Exceptions documented with compensating controls

Monitoring & response

  • Admin and suspicious sign-in alerts enabled
  • Logs retained and accessible for investigations
  • Incident response plan exists and is tested annually
  • Breach decision worksheet includes Delaware timelines and AG criteria

Metrics/KPIs to track (simple, defensible, and useful)

Choose a handful you can reliably measure:

  • MFA coverage: % of critical systems with MFA enforced
  • Patch compliance: % of endpoints meeting patch SLA; # of critical overdue
  • Phishing resilience: training completion rate; phishing simulation click rate (if used)
  • Backup reliability: % successful backups; last successful restore test date
  • Vendor coverage: % of critical vendors reviewed in last 12 months
  • Incident readiness: time-to-detect (TTD) and time-to-contain (TTC) for security alerts
  • Access review health: % of quarterly reviews completed on time

Pro Tip: For SMBs, consistency beats complexity. Five reliable KPIs are better than 30 unreliable ones.

Quick-start steps + a 30/60/90-day compliance roadmap (2026)

If you’re starting from scratch—or tightening things up—use this plan.

Quick-start (first 10 business days)

  1. Turn on MFA for email and admin accounts.
  2. Inventory systems that store personal data (customer + employee).
  3. Confirm backup status and perform a test restore.
  4. Create or update an incident response plan with Delaware notification decision points (60-day clock, AG threshold, SSN credit monitoring).
  5. Pick a vulnerability/patch cadence and assign ownership.

30 days: establish the baseline

  • Draft a right-sized WISP and core policies
  • Complete an initial risk assessment and remediation backlog
  • Implement endpoint protection across devices
  • Start training (phishing awareness + reporting)
  • Create a vendor inventory and tier your vendors

60 days: add proof and resilience

  • Run your first tabletop exercise and document outcomes
  • Implement access reviews for critical systems
  • Set up logging/alerting for suspicious sign-ins and admin activity
  • Perform vulnerability scanning and document remediation
  • Update vendor contracts (or add addenda) for breach notification and security expectations

90 days: move toward “audit-ready”

  • Create an evidence repository (policies, logs, tickets, reports)
  • Implement data retention and disposal procedures
  • Ensure PCI DSS requirements are addressed if you accept cards (scope + SAQ approach), keeping in mind PCI DSS v4.x expectations in effect.
  • If applicable, confirm HIPAA/GLBA/insurance scope and align documentation accordingly
  • Define 6–12 month security goals (SOC 2 readiness, ISO-aligned improvements, SIEM expansion)

FAQs

Q1) What cybersecurity laws apply to Delaware businesses in 2026?

Answer: Most Delaware businesses should evaluate (1) Delaware’s data breach notification law (Title 6, Chapter 12B) and (2) whether they fall under the Delaware Personal Data Privacy Act (Title 6, Chapter 12D). 

Many also have federal/industry obligations like PCI DSS for card payments, HIPAA for healthcare, GLBA/FTC Safeguards for certain financial activities, or Delaware insurance cybersecurity rules for licensees.

Q2) When must a Delaware business notify customers of a data breach?

Answer: Delaware requires notice without unreasonable delay and no later than 60 days after determination of the breach, with limited exceptions (e.g., law enforcement delay or shorter federal timelines).

Q3) What counts as “personal information” in Delaware?

Answer: Delaware’s breach law uses a statutory definition that depends on specific data elements (and in many cases combinations with identifiers). Confirm the current definition directly in Delaware Code (Title 6, Chapter 12B) when evaluating an incident.

Q4) Do small businesses in Delaware have compliance requirements too?

Answer: Yes. Delaware’s breach notification obligations apply broadly to entities conducting business in Delaware that own/license covered personal information. Even very small businesses can have obligations if they handle employee SSNs, customer credentials, or other covered data.

Q5) Do I need a written information security program (WISP)?

Answer: Often, yes—at least in a lightweight form. A WISP is a best practice for demonstrating “reasonable safeguards,” and it’s central to certain regimes like the GLBA/FTC Safeguards Rule and Delaware insurance cybersecurity requirements for licensees. Even when not strictly mandated, it’s one of the best ways to make your program consistent and auditable.

Q6) Does PCI compliance replace Delaware legal obligations?

Answer: No. PCI DSS is a contractual/industry standard for payment card data. Delaware breach notification rules can still apply if a security incident involves Delaware personal information (or other regulated data), regardless of PCI obligations. Delaware also requires AG notice if >500 residents are notified.

Q7) How do vendor breaches affect my company’s responsibility?

Answer: If your vendor experiences an incident that impacts your customers’ data, you may still have obligations to investigate and potentially notify affected individuals and the Delaware AG (depending on thresholds). 

Delaware law also contemplates scenarios involving entities that maintain data on behalf of others—so contracts and coordination matter.

Q8) What are the best low-cost cybersecurity controls for SMBs?

Answer: High ROI controls include: MFA for email/admin accounts, endpoint protection, automated patching, encrypted laptops, secure backups with restore tests, basic logging/alerts for suspicious sign-ins, and employee security training. These align strongly with “reasonable safeguards” expectations across common regimes.

Q9) If a breach includes Social Security numbers, what must we do in Delaware?

Answer: Delaware requires offering 1 year of credit monitoring at no cost to affected residents when SSNs are involved (with required enrollment and credit-freeze information), subject to statutory conditions.

Q10) When must we notify the Delaware Attorney General about a breach?

Answer: If the number of Delaware residents to be notified exceeds 500, you must provide notice to the Delaware Attorney General not later than the time you notify residents.

Q11) What does the Delaware Personal Data Privacy Act require from covered organizations?

Answer: It provides consumer rights (access, correction, deletion, portability, opt-outs) and imposes duties on controllers/processors, including maintaining reasonable security practices appropriate to the data. It also includes requirements affecting opt-out mechanisms in 2026.

Q12) Are there 2026-specific privacy requirements I should watch for?

Answer: Yes—Delaware’s privacy law includes an obligation tied to January 1, 2026 related to opt-out preference signals for targeted advertising and/or sale of personal data under certain conditions. Confirm applicability and implementation details in the current statute and any official guidance.

Q13) What if we’re subject to GLBA/FTC Safeguards—what should we prioritize?

Answer: Prioritize a documented information security program, risk-based controls (access controls, encryption, monitoring), vendor oversight, and incident preparedness. The FTC provides guidance and the rule is codified in 16 CFR Part 314.

Q14) What if we’re a HIPAA business associate (BA)?

Answer: Then you must implement HIPAA Security Rule safeguards for ePHI, maintain required policies/procedures, and be prepared for security incidents (including ransomware) consistent with HHS guidance.

Q15) What should we document to be “audit-ready”?

Answer: At minimum: WISP/policies, risk assessment, training logs, access reviews, patch/vulnerability evidence, backup/restore tests, incident response plan + tabletop, and vendor reviews/contracts. These artifacts are often what customers, insurers, and regulators request first.

Conclusion

Staying compliant in 2026 is less about chasing every new security tool and more about building a repeatable, documented program that matches your risk. For most organizations, Delaware business cybersecurity compliance comes down to three habits:

  1. Know your data and obligations (Delaware breach law, DPDPA applicability, and federal/industry rules).
  2. Implement core controls (MFA, encryption, backups, patching, monitoring, incident response, vendor management).
  3. Keep proof (policies, risk assessments, training logs, vendor reviews, and tested response procedures).