D.C. Amends Data Breach Notification Law, Adds Security Requirements
At the end of March, Washington, D.C. signed the Security Breach Protection Amendment Act of 2019, which adds some significant changes to D.C.’s existing data breach law, first enacted in 2007. The law is projected to take effect by June 13, 2020. Some of the major changes are summarized below.
Definition of “Personal Information” Expanded
The law adopts a broader definition, adding the following new data elements:
- individual taxpayer identification number, passport number, military identification number, or other unique identification number issued on a government document;
- financial account number or any other combination of numbers or codes that may allow access to an individual’s financial or credit accounts;
- medical information, biometric data, genetic information, health insurance information, and DNA profile; and
- username or email address in combination with any authenticators necessary to access a person’s account.
The law also includes a catch-all for any combination of enumerated data elements that would enable a person to commit identity theft.
Content Requirements for Individual Breach Notifications
The law creates new content requirements for individual notices. Namely, the notice must describe the types of data elements compromised, the contact information for the entity reporting the breach, the toll-free numbers for credit reporting agencies, the FTC, and the D.C. Attorney General. The notice must also include information on the right to obtain a security freeze free of charge and information about how to much such request.
Mandatory Breach Notification to the D.C. Attorney General
There is also a new requirement to report data breaches to the D.C. Attorney General if 50 or more D.C. residents have been affected. Notice must be made no event later than when notice is provided to affected D.C. residents. The law also includes specific content requirements for Attorney General notices, some of which include:
- the nature of the data breach;
- types of personal information compromised;
- the number of D.C. residents affected;
- the cause of the data breach;
- remedial steps taken; and
- a sample of the notice sent to affected D.C. residents.
The law creates new security requirements for entities handing personal information of D.C. residents to implement and maintain “reasonable security safeguards” to protect personal information. Entities using third-party service providers must also have a written agreement in place requiring the service provider to implement appropriate security safeguards.
The law now requires entities that experience a data breach of social security numbers or taxpayer identification numbers to offer free identity theft protection services to affected individuals for a period of at least 18 months. With this addition, D.C. joins just a small handful of other states with potential mandatory credit monitoring requirements.
Putting it Into Practice: For companies with nationwide incident response plans, D.C.’s modified law will require some changes. Among these are the definition of personal information, the mandatory Attorney General notification, content requirements for individual notice, and potential mandatory credit monitoring.