District of Columbia Data Breach Notification Requirements
WHAT ENTITIES ARE SUBJECT TO DC DATA BREACH NOTIFICATION LAW? Any person or entity that conducts business in the District of Columbia, and that, in the course of such business, owns or licenses computerized or other electronic data that includes personal information. The law also covers any person or entity who maintains, handles, or otherwise possesses computerized or other electronic data that includes personal information that the person or entity does not own.
WHAT INFORMATION IS PROTECTED? Personal information, which includes:
An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person's information:
Social security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account;
Medical information;
Genetic information and DNA profile;
Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information;
Biometric data of an individual generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual's identity when the individual accesses a system or account; or
Any combination of data elements included in the above that would enable a person to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier.
A user name or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of sub-subparagraph (i) that permits access to an individual's e-mail account.
WHAT IS A BREACH? Any unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.
DOES NOT INCLUDE
A good-faith acquisition of personal information by an employee or agency of the person or entity for the purposes of the person or entity if the personal information is not used improperly or subject to further unauthorized disclosure;
Acquisition of data that has been rendered secure, including through encryption or redaction of such data, so as to be unusable by an unauthorized third party unless any information obtained has the potential to compromise the effectiveness of the security protection preventing unauthorized access; or
Acquisition of personal information of an individual that the person or entity reasonably determines, after a reasonable investigation and consultation with the Office of the Attorney General for the District of Columbia and federal law enforcement agencies, will likely not result in harm to the individual.
WHAT MUST A BUSINESS DO UPON DISCOVERY OF BREACH? “Promptly" notify any District of Columbia resident whose personal information was included in the breach, in “the most expedient time possible and without unreasonable delay,” with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Any person or entity who maintains, handles, or otherwise possesses computerized or other electronic data that includes personal information that the person or entity does not own shall notify the owner or licensee of the information of any breach of the security of the system “in the most expedient time possible following discovery.”
Notification may be delayed with the cooperation of law enforcement.
If the breach affects 50 or more District residents, written notice of the data breach must be given to the Office of the Attorney General for the District of Columbia (“OAG”). (To report a breach to OAG, email databreach@dc.gov.) This notice must be made in the most expedient manner possible, without unreasonable delay, and in no event later than when notice is provided under subsection (a) of this section. The written notice must include:
The name and contact information of the person or entity reporting the breach;
The name and contact information of the person or entity that experienced the breach;
The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach;
The types of personal information compromised by the breach;
The number of District residents affected by the breach;
The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known;
The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach;
The date and time frame of the breach, if known;
The address and location of corporate headquarters, if outside of the District;
Any knowledge of foreign country involvement; and
A sample of the notice to be provided to District residents.
If more than 1,000 persons are affected by the data breach, the responsible person or entity must notify all consumer reporting agencies of the timing, distribution and content of the notices. This does not apply to persons or entities required to notify consumer reporting agencies of a breach pursuant to Title V of the Gramm-Leach-Bliley Act.
NOTIFICATION METHODS: Written notice. Electronic notice is permitted if the customer has consented to receipt of electronic notice consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act.
Substitute notice is permitted if the person or entity demonstrates that the cost of providing notice to persons subject to this subchapter would exceed $50,000, that the number of persons to receive notice under this subchapter exceeds 100,000, or that the person or entity does not have sufficient contact information.
WHAT MUST THE DATA BREACH NOTIFICATION INCLUDE?
To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been, acquired;
Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained;
The toll-free telephone numbers and addresses for the major consumer reporting agencies, including a statement notifying the resident of the right to obtain a security freeze free of charge and information explaining how to request a security freeze; and
The toll-free telephone numbers, addresses, and website addresses for the Federal Trade Commission and the OAG, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft:
D.C. law provides a simpler method for data breaches involving only a user name or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements that permit access to an individual's e-mail account. In such cases, notification may be provided in electronic format or other form that directs the person to (1) change the person's password and security question or answer, as applicable, or (2) take other steps appropriate to protect the e-mail account with the person or entity and all other online accounts using the same username or email address and password or security question or answer.
REMEDIES: If the data breach includes or is reasonably believed to include a social security number or taxpayer identification number, the breached person or entity must offer to each affected District resident identity theft protection services at no cost for at least 18 months.
COMPLIANCE WITH FEDERAL LAW: A person or entity that maintains procedures for a breach notification system under Title V of the Gramm-Leach-Bliley Act, or the breach notification rules established pursuant to the Health Insurance Portability Accountability Act of 1996, or the Health Information Technology for Economic and Clinical Health Act, and provides notice in accordance with such Acts, and any rules, regulations, guidance and guidelines thereto, to each affected resident in the event of a breach, shall be deemed to be in compliance with this section with respect to the notification of residents whose personal information is included in the breach. However, the responsible person or entity still must provide written notice of the data breach to OAG.
SOURCE: D.C. Code 28-3851 et seq.
Sean Griffin is an attorney and certified cybersecurity expert (CIPP-US) who advises clients on cybersecurity and litigates cybersecurity/privacy cases in Virginia, Maryland, and the District of Columbia. You can reach him via email at sgriffin@dykema.com or by phone at (202) 906-8703.