27 May Washington D.C. Amends Data Breach Notification Statute
Written by: Charles R. Langhorne IV, Esq.
Washington D.C. amended its data breach notification statute at the end of March. The new law is set to take effect by June 13, 2020. This is the first update to the law since it was passed in 2007.
Personal Information Defined
Washington D.C. is following the national trend in expanding the definition of “Personal Information.” Specifically, D.C. is adding the following data elements to the definition:
- individual taxpayer identification number, passport number, military identification number, or other unique identification number issued on a government document; Specifically, D.C. is adding the following data elements to the definition:
- financial account number or any other combination of numbers or codes that may allow access to an individual’s financial or credit accounts;
- medical information, biometric data, genetic information, health insurance information, and DNA profile; and
- username or email address in combination with any authenticators necessary to access a person’s account.
As expected, the law includes a catch-all provision that states any combination of the listed data elements that would enable a person to commit identity theft is also Personal Information.
Content of Notices to Residents
The law also includes a new provision for the contents of the notification should an entity experience a breach. Specifically, those requirements are:
- Description of the categories of information subject to the breach;
- Contact information for the entity making the notification;
- Contact information for the major reporting agencies;
- A statement notifying the resident of their right to request a security freeze;
- Contact information for the Federal Trade Commission and the D.C. Attorney General;
Attorney General Notification
The law provides that notice must be given to the D.C. Attorney General in the event the breach affects 50 or more D.C. Residents.
Most notably, the law includes security requirements not seen in many state data breach notification laws. However, the requirement is the normal, vague duty to “implement and maintain reasonable security safeguards” to protect Personal Information that we continue to see. In addition, the law also provides a GDPR-like requirement in that it requires entities that use third-party service providers to process Personal Information, to have written contracts in place that require those service providers to also “implement and maintain reasonable security safeguards” to protect Personal Information.
Another feature that is not commonly seen among other state statutes is the requirement to offer free identity theft protection services to affected individuals for a period of at least 18 months. Entities are only required to do this when the breach involves social security numbers or taxpayer identification numbers.
This is a common practice to show corporate goodwill after a breach, but not many states provide this as a requirement.
What Does This Mean?
What this means is that more and more states are requiring businesses implement data security measures. If you have not assessed the security of your business’ Personal Information storage and transmission practices, now is the time.