The Act requires Delaware “licensees” (as defined in the statute, with exclusions for certain out‑of‑state risk retention and assuming insurers) to implement information security programs and conduct risk assessments to prevent data breaches involving consumers’ nonpublic information, with such programs to be implemented no later than August 1, 2020 and third‑party service provider oversight no later than August 1, 2021.