July 12, 2020

Volume X, Number 194

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

D.C. Amends Data Breach Notification Law, Adds Security Requirements

At the end of March, Washington, D.C. signed the Security Breach Protection Amendment Act of 2019, which adds some significant changes to D.C.’s existing data breach law, first enacted in 2007. The law is projected to take effect by June 13, 2020. Some of the major changes are summarized below.

Definition of “Personal Information” Expanded

The law adopts a broader definition, adding the following new data elements:

  • individual taxpayer identification number, passport number, military identification number, or other unique identification number issued on a government document;
  • financial account number or any other combination of numbers or codes that may allow access to an individual’s financial or credit accounts;
  • medical information, biometric data, genetic information, health insurance information, and DNA profile; and
  • username or email address in combination with any authenticators necessary to access a person’s account.

The law also includes a catch-all for any combination of enumerated data elements that would enable a person to commit identity theft.

Content Requirements for Individual Breach Notifications

The law creates new content requirements for individual notices. Namely, the notice must describe the types of data elements compromised, the contact information for the entity reporting the breach, the toll-free numbers for credit reporting agencies, the FTC, and the D.C. Attorney General. The notice must also include information on the right to obtain a security freeze free of charge and information about how to much such request.

Mandatory Breach Notification to the D.C. Attorney General

There is also a new requirement to report data breaches to the D.C. Attorney General if 50 or more D.C. residents have been affected. Notice must be made no event later than when notice is provided to affected D.C. residents. The law also includes specific content requirements for Attorney General notices, some of which include:

  • the nature of the data breach;
  • types of personal information compromised;
  • the number of D.C. residents affected;
  • the cause of the data breach;
  • remedial steps taken; and
  • a sample of the notice sent to affected D.C. residents.

Security Requirements

The law creates new security requirements for entities handing personal information of D.C. residents to implement and maintain “reasonable security safeguards” to protect personal information. Entities using third-party service providers must also have a written agreement in place requiring the service provider to implement appropriate security safeguards.

Credit Monitoring

The law now requires entities that experience a data breach of social security numbers or taxpayer identification numbers to offer free identity theft protection services to affected individuals for a period of at least 18 months. With this addition, D.C. joins just a small handful of other states with potential mandatory credit monitoring requirements.

Putting it Into Practice: For companies with nationwide incident response plans, D.C.’s modified law will require some changes. Among these are the definition of personal information, the mandatory Attorney General notification, content requirements for individual notice, and potential mandatory credit monitoring.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 136

TRENDING LEGAL ANALYSIS


About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334