On March 26, 2020, amendments to Washington, D.C.’s data breach notification law were enacted in bill number B23-0215.  Put briefly, the amendments impose various prevention, response, and mitigation obligations on businesses regarding data breaches that affect D.C. residents.  Below is a summary of the key changes of which businesses should be aware.

The nuts and bolts

  • The amendments expand the definition of personal information to include:
    • an individual’s first name, first initial and last name, or any other personal identifier, when combined with health information, genetic information, passport numbers, taxpayer identification numbers, health insurance information, or biometric data (this is in addition to the previously-listed data elements: social security number (SSN); driver’s license number or D.C. identification card number; or credit or debit card number);
    • any combination of the listed data elements that “would enable a person to commit identity theft without reference to a person’s first name or first initial and last name or other independent personal identifier”; and
    • user names or email addresses that allow access to an individual’s email account, when combined with the above-listed data elements (or another means of verification).
  • The amendments include the following additional requirements for the content of consumer notifications after a breach:
    • a description of the categories of personal information acquired or reasonably believed to have been acquired by an unauthorized person;
    • contact information for the notifying company, the FTC, the D.C. attorney general (AG), and the major consumer reporting agencies; and
    • notification that consumers have a right to a free security freeze (under federal law) and, in certain instances, a right to identity theft prevention services.
  • The amendments also mandate that a company provide 18 months of identity theft prevention services to consumers when there is a breach of SSNs or taxpayer identification number.
  • The amendments further include a new requirement that the AG be given written notice of a data breach that impacts 50 or more D.C. residents, which must include, inter alia: (i) the nature of the breach; (ii) the types of personal information compromised; and (iii) the remedial action taken. The amendments also give the AG rulemaking authority regarding their notification provisions.
  • The amendments require implementation and maintenance of reasonable security measures and practices for any persons or entities that own, license, maintain, handle or otherwise process personal information of a D.C. resident. Such security measures must be “appropriate to the nature of the personal information and the nature and size of the entity or operation.”
  • The amendments also make a violation of D.C.’s data breach law an unfair or deceptive trade practice.

The law does provide some relief for entities subject to sectoral privacy and data security laws; it contains certain exceptions for entities subject to the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act.  The amendments are set to take effect 30 days from the date of the D.C. mayor’s approval, following publication in the D.C. Register.

Comment

The amendments demonstrate the trend of state focus on privacy rights and the imposition of data security requirements on businesses.  By expanding the definition of personal information, the scope of the law likely covers more businesses that collect or process consumer information.  In addition, the requirement that organizations that own, license, or otherwise handle personal information establish reasonable security procedures imposes greater responsibility on businesses to ensure that they have sensible and defensible practices in place to prevent potential data breaches.  Requiring written notification to the AG for breaches of a certain size suggests potentially stricter enforcement and greater scrutiny regarding violations of the breach law.  Businesses that collect and utilize personal information should also consider an appropriate AG outreach strategy as part of their broader approach to government relations.  All told, the recent amendments highlight the organizational importance in having effective privacy procedures, controls, and safeguards in place to manage privacy obligations and to avoid legal fallout.

While COVID-19 dominates the news cycle, businesses should not lose sight of evolving privacy laws that can have significant financial, legal, and reputational implications.  The D.C. amendments are a reminder that the privacy landscape is ever-changing and that it remains vital for businesses to diligently assess legal risks, construct compliance programs, and respond to new developments that impact business decisions and increase risk exposure.