Washington D.C. Attorney General Seeks Stronger Data Security and Breach Notification Requirements
Friday, March 22, 2019
greater data privacy dc
Print Mail Download i

Add Washington D.C. Attorney General Karl A. Racine’s recent data security legislative proposal – the Security Breach Protection Amendment Act of 2019 – to the growing list of states and jurisdictions across the country seeking to strengthen privacy and security protections around personal information.

Proposed in response to major data breaches, a frequent catalyst to stronger data privacy and security legislation, AG Racine’s bill would expand legal protections concerning personal information to help prevent and enhance the response to a data breach. Specifically, the bill would:

  1. like legislation being considered in New Jersey, expand the definition of personal information that, if breached, would require notification. However, if passed, the definition of personal information in D.C. would be much broader than New Jersey and many other states, and include – passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information;
  2. require businesses that experience a data breach to include specific information in the notifications to affected persons, such as (i) the categories of information that were, or are believed to have been, involved in the breach, (ii) contact information for the person making the notification, as well as the credit reporting agencies, the FTC, and the D.C. Attorney General, and (iii) the right under federal law to obtain a security freeze at no cost and how to obtain such a freeze; and
  3. mandate businesses offer two years of free identity theft protection when a breach involves Social Security numbers. Washington D.C. would join states such as Connecticut, Delaware, and, in April, Massachusetts, in requiring such services be provided following certain breaches.

The bill also would mandate that businesses that handle personal information implement reasonable safeguards to protect that data. Additionally, businesses that obtain services from a nonaffiliated third party and disclose personal information of a DC resident under an agreement with that third party must require the third party by agreement to safeguard that information. Again, these changes put D.C. in the company of other states such as California, Colorado, and Massachusetts.

The legislative screws continue to tighten around data privacy and security.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

District Court Strikes Portions of Inglewood’s Healthcare Worker Minimum Wage Ordinance
by: Jonathan A. Siegel , Allen F. Acosta
Reminder: San Francisco Employer Annual Reporting Form Due May 3
by: Harold R. Jones , Julia A. Olivier
Addressing Multinational Labor and Employment Law Issues Through an International Alliance [Podcast]
by: John L. Sander
Nuanced Privacy Laws Means Healthcare Organizations Should Prioritize Protecting Personal Information
by: Michael R. Bertoncini
Reports Confirm Need for Employers to Foster Inclusive Work Environment for Black, LGBTQIA+ Youth
by: Teresa Burke Wright
U.S. Supreme Court: Alleging Discriminatory Transfer Is Sufficient Harm to Bring Title VII Claim
by: Stephanie L. Adler-Paindiris , Michael R. Hatcher
New York State Budget Includes Enhanced Employer Obligations
by: Richard Greenberg , Tania J. Mistretta
SDNY Denies Leave to Amend ERISA Complaint with “Substantively the Same Defects” as Dismissed Complaint
by: Alex E. Hotard , Phillip C. Thompson
Should We Submit Missing Participant Data to the DOL with the Plan’s Form 5500?
by: Suzanne G. Odom
USCIS Updates Form N-400 Application for Naturalization
by: Michael H. Neifach , Porter S. Young

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins