Washington D.C. Attorney General Seeks Stronger Data Security and Breach Notification Requirements
Add Washington D.C. Attorney General Karl A. Racine’s recent data security legislative proposal – the Security Breach Protection Amendment Act of 2019 – to the growing list of states and jurisdictions across the country seeking to strengthen privacy and security protections around personal information.
Proposed in response to major data breaches, a frequent catalyst to stronger data privacy and security legislation, AG Racine’s bill would expand legal protections concerning personal information to help prevent and enhance the response to a data breach. Specifically, the bill would:
- like legislation being considered in New Jersey, expand the definition of personal information that, if breached, would require notification. However, if passed, the definition of personal information in D.C. would be much broader than New Jersey and many other states, and include – passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information;
- require businesses that experience a data breach to include specific information in the notifications to affected persons, such as (i) the categories of information that were, or are believed to have been, involved in the breach, (ii) contact information for the person making the notification, as well as the credit reporting agencies, the FTC, and the D.C. Attorney General, and (iii) the right under federal law to obtain a security freeze at no cost and how to obtain such a freeze; and
- mandate businesses offer two years of free identity theft protection when a breach involves Social Security numbers. Washington D.C. would join states such as Connecticut, Delaware, and, in April, Massachusetts, in requiring such services be provided following certain breaches.
The bill also would mandate that businesses that handle personal information implement reasonable safeguards to protect that data. Additionally, businesses that obtain services from a nonaffiliated third party and disclose personal information of a DC resident under an agreement with that third party must require the third party by agreement to safeguard that information. Again, these changes put D.C. in the company of other states such as California, Colorado, and Massachusetts.
The legislative screws continue to tighten around data privacy and security.