The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
District of Columbia
Data Breach Notification Statute
Covered Entities: Any person or entity conducting business in D.C. and, through the course of business, owns, possesses, maintains, or licenses computerized or electronic personal information.
Consumer Notification: Any D.C. resident whose personal information was included in the breach, or owner or licensee of the personal data if notifier is not the owner or licensee.
Regulatory Notification: Notice must be given to the Office of the Attorney General for the District of Columbia if the breach affects 50 or more D.C. residents.
Notification Timeline: The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Data Format: Computerized or electronic.
Citations: D.C. Code §§ 28-3851(1), 28-3851(1)(B)(i-iii).28-3851(3)(A), 28-3852(a)-(b).
- Breach: “Breach of the security of the system” means unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information.
- Personal Information (PI): An individual’s first name, first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person's information:
- Social security number,
- Individual Taxpayer Identification Number,
- Passport number,
- Driver's license number,
- District of Columbia identification card number,
- Military identification number,
- Other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
- Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account Credit card number or debit card number;
- Medical information
- Genetic information or DNA profile;
- Health insurance information;
- Biometric data, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual’s identity;
- Any combination of data elements listed above that would enable a person to commit identity theft without reference to a person’s first name or first initial and last name or other independent personal identifier;
- A username or e-mail address in combination with a password, security question and answer, or other means of authentication; or
- Any combination of data elements listed above that permits access to an individual’s e-mail account.
- Medical Information: Any information about a consumer’s dental, medical, or mental health treatment or diagnosis by a health-care professional.
- Health Insurance Information: A policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information.
- Encryption: Acquisition of data that has been rendered secure, including through encryption or redaction of such data, so as to be unusable by an unauthorized third party unless any information obtained has the potential to compromise the effectiveness of the security protection preventing unauthorized access.
- Good Faith: A good-faith acquisition of personal information by an employee or agency of the person or entity for the purposes of the person or entity if the personal information is not used improperly or subject to further unauthorized disclosure.
- Risk of Harm: Notification not required if the person or entity reasonably determines, after a reasonable investigation and consultation with the Office of the Attorney General for the District of Columbia and federal law enforcement agencies, that the unauthorized acquisition of personal information of an individual will likely not result in harm to the individual.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation but shall be made as soon as possible after the law enforcement agency determines that the notification will not compromise the investigation.
- Timing: The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Format: N/A
- Content: The notification any D.C. resident who personal information was included in the breach must include:
- To the extent possible, a description of the categories of information that were, or are reasonably believed to have been acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been acquired;
- Contact information for the entity making the notification, including business address, phone number, and toll-free number if one is maintained;
- Toll-free numbers and addresses for the major reporting agencies, including a statement notifying the resident of the right to obtain a security freeze free of charge;
- Toll-free numbers and addresses for the Federal Trade Commission and the D.C. Attorney General.
- Method: Notification to affected individuals may be provided by (A) Written notice; (B) Electronic notice, if the customer has consented to receipt of electronic notice consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001; or (C) Substitute notice (see below).
An entity may provide substitute notice if either: (1) the cost of direct notice would exceed $50,000; (2) the number of persons to receive notice exceeds 100,000; or (3) the entity does not have sufficient contact information.
An entity to provide at least 18 months of free identity theft protection services to affected individuals in the event the breach affects Social Security numbers or taxpayer identification numbers.
Credit Reporting Agencies Notice:
If a person or entity is required to notify more than 1,000 D.C. residents at a single time, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and content of the notices.
A person or entity that maintains procedures for a breach notification system under the Health Insurance Portability and Accountability Act (“HIPAA”), and provides notice in accordance with such Act, and any rules, regulations, guidance and guidelines thereto, to each affected resident in the event of a breach, shall be deemed to be in compliance with this section with respect to the notification of residents whose personal information is included in the breach. The person or entity shall, in all cases, provide written notice of the breach of the security of the system to the Office of the Attorney General for the District of Columbia.
- General Data Security Requirements: The new law establishes data security requirements for covered businesses. Any business that owns, licenses, maintains, handles or otherwise possesses personal information of D.C. residents must implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation. D.C. Code § 28-3852.01(a). Covered entities must enter written agreements with their third-party service providers requiring the service provider to implement and maintain similar reasonable security procedures and practices. D.C. Code § 28-3852.01(b).
Information Security Standard
Covered Entities: Any person or entity who conducts business in D.C. and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information (“PI”).
First Party Security Standard: A business that owns, licenses, or maintains personal information about a District of Columbia resident shall implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.
Third Party Security Standard: A person or entity that uses a nonaffiliated third party as a service provider to perform services for a person or entity and discloses personal information about an individual residing in the District under a written agreement with the third party shall require by the agreement that the third party implement and maintain reasonable security procedures and practices that (1) are appropriate to the nature of the personal information disclosed to the nonaffiliated third party and (2) are reasonably designed to protect the personal information from unauthorized access, use, modification, and disclosure.
Disposal/Destruction Standard: When a person or entity is destroying records, including computerized or electronic records and devices containing computerized or electronic records, that contain personal information of a consumer, employee, or former employee of the person or entity, the person or entity shall take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account: (1) the sensitivity of the records; (2) the nature and size of the business and its operations; (3) the costs and benefits of different destruction and sanitation methods; and (4) available technology.
Data Format: Electronic and physical.
Citations: D.C. Code § 28-3852.01.
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or District of Columbia identification card number;
- Tax identification number, passport number, military identification number, or other unique government-issued identification number used to verify identity;
- Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account;
- Medical information;
- Genetic information and DNA profile;
- Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual’s health and billing information;
- Biometric data of an individual generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual's identity when the individual accesses a system or account; or
- Any combination of data elements included in the above bullet points that would enable a person to commit identity theft without reference to a person’s first name or first initial and last name or other independent personal identifier.
A username or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in the above bullet points, that permits access to an individual's email account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Methods of Compliance:
The statute does not define acceptable methods of compliance.
- Health Care: N/A
- Financial: N/A
- Other: N/A
The Attorney General may seek direct damages and injunctive relief.