District of Columbia Consumer Security Breach Notification
D.C. Code § 28-3851 - § 28-3853
SUMMARY:
EFFECTIVE. July 1, 2007
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in District of Columbia and owns or licenses computerized or electronic data that includes Personal Information; and (2) any person or entity that maintains or otherwise handles computerized data that includes Personal Information.
WHAT IS A BREACH. An unauthorized acquisition of computerized or electronic data, or related data storage equipment that compromises the security, integrity or confidentiality of Personal Information maintained by a person or business.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name, or telephone number, or address in combination with any one or more of the following data elements:
-
Social Security number, Individual Tax Identification Number, passport number, driver’s license number, District of Columbia Identification Card number, military identification number, or other unique identification number used to verify the identity of a specific individual.
-
Account number, credit card number, or debit card number, or any other number or code or combination thereof such as an identification number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account.
-
Medical information, Biometric data, Genetic information, and DNA profile.
-
Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify an individual which permits access to their health and billing information.
-
A username or email address in combination with a password, security question and answer, or other means to access the account, or any combination of the above data sets that would permit access to an individual’s email account.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the District of Columbia residents affected. If more than 50 District residents are notified, must provide notice to the Attorney General for the District of Columbia. Government notice must meet specific content requirements. If more than 1,000 individuals are involved in a breach, the person or business shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notice. Notice to the consumer reporting agencies does not apply to a person or business that is subject to Title V of the Federal Gramm-Leach Bliley Act, 15 U.S.C. § 6801, et seq.
EXCEPTION. This Section does not apply to the following:
-
Information that has been rendered secure, including by encryption or redaction, so as to be unusable by an unauthorized person or entity.
-
A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not subject to further unauthorized disclosure. Acquisition of data that is secure or unusable by a third-party is also not considered a breach.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this section, is considered in compliance with this Section if the affected District of Columbia individuals are notified by the person or business in accordance with such policies.
-
A person or business which maintains procedures for breach notification under Title V of the Gramm-Leach Bliley Act and provides such notice to the affected District of Columbia residents, is considered to be in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent promptly to the affected District of Columbia residents after the person or business becomes aware of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with measures necessary to determine the nature and scope of the breach and restore the reasonable integrity of the data system. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if the consumer has consented to receipt of electronic notice consistent with 114 Stat. 641 USCS § 7001).
-
Substitute notice as provided below.
The Notice must include the following:
-
A description of the information that was, or is reasonably believed to have been, acquired.
-
Contact information for or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained.
-
The toll-free telephone numbers and addresses for the major consumer reporting agencies, including a statement notifying the resident of the right to obtain a security freeze free of charge, and information how a resident may request a security freeze.
-
The toll-free telephone numbers, addresses, and website addresses for the Federal Trade Commission and the Attorney General for the District of Columbia, and a statement that an individual can obtain information from these sources about steps to take to avoid identity theft.
Credit Monitoring. If the breach includes or is reasonably believed to include Social Security numbers or tax identification numbers, the entity shall offer to each resident whose Social Security number or tax identification number was affected identity theft protection services at no cost for eighteen (18) months. The notice must include information necessary to enroll in the services.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $50,000, the number of persons to be notified exceeds 100,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has email addresses for the individuals subject to the notice.
-
Conspicuous posting of the notice on the website of the person or business.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains or otherwise handles computerized or electronic data that includes Personal Information that it does not own, then the person or business shall immediately notify the owner or licensee upon discovery of the breach. The person or entity that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any District of Columbia resident injured by a violation of this Section may bring a civil lawsuit to recover actual damages and attorneys’ fees and costs, but not pain and suffering.
The Attorney General may bring an action for permanent injunctive relief on behalf of District of Columbia residents affected by a violation of this Section, including recovery of lost property or damages. The Attorney General may also collect no more than $100 for each violation plus attorney’s fees and costs. Failure to notify an individual District of Columbia resident constitutes a separate violation.
PRIVATE RIGHT OF ACTION. Yes. Any resident injured by a violation my file a civil action to recover damages, costs of the action, and reasonable attorney fees. Damages shall not include pain and suffering.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
Council Bill 16-810 – signed into law 3/8/2007, Effective 7/1/2007.
Council Bill 23-0215 – signed into law 3/26/2020, Effective 6/17/2020.
For more information, see here: https://code.dccouncil.us/us/dc/council/code/sections/28-3852.html
AND
https://oag.dc.gov/requirements-districts-data-breach-notification
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.