Washington, D.C. Adds Security Requirements in New Data Breach Notification Law

Washington, D.C. amended its data breach notification law (D.C. Act 23-268) on March 26, 2020, expanding the definition of personal information covered by the law and requiring businesses collecting data from D.C. residents to implement "reasonable security safeguards." Because D.C. law already provides a private right of action for violations of the data breach law, the updates will enable lawsuits in the event that an entity fails to meet the "reasonable security" standard—though recovery is limited to actual damages.

Personal information covered by the law was previously limited to first name or initial and last name in combination with a sensitive identifying number (Social Security number, driver's license or D.C. identification card number, or credit or debit card number), or numbers or codes that would allow access to an individual's financial or credit account. DC Code § 28–3851(3).

The new law adds first name or initial and last name plus medical information, genetic information and DNA profile, health insurance information, and biometric information to the definition, or any listed data element without name if it would allow a person to commit identity theft. The law also now covers a user name or email in combination with authentication data that would permit access to an individual's email account.

A business that handles covered personal information about a D.C. resident must now employ "procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation" to protect the information from unauthorized access. While the details of what constitutes "reasonable security" are not specified, the new law does require that contracts with service providers who will have access to personal information include a requirement that the service provider maintain reasonable security, and a requirement that secure methods be used when destroying personal information. Entities that are subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act are deemed to be in compliance with the D.C. law if they are in compliance with security requirements set forth in those laws and regulations issued thereunder.

The time period for notification remains "the most expedient time possible and without unreasonable delay." DC Code § 28–3852(a). The notification must now include contact information for the major credit reporting agencies and instructions for how the individual may request a security freeze. Identity theft protection must be offered for 18 months to all affected D.C. residents. The breached entity must also provide notification to the D.C. Attorney General if the breach affects 50 or more D.C. residents; the prior law required only notification of credit reporting agencies if more than 1,000 D.C. residents were affected.

The prior version of the data breach law contained a private right of action for violations of the law—but because the law contained only procedural requirements to notify, an underlying failure to secure data could not have given rise to a lawsuit. With the addition of a reasonable security requirement, the private right of action is expanded. However, existing law limits recovery to "actual damages, the costs of the action, and reasonable attorney's fees" and excludes "dignitary damages, including pain and suffering." DC Code § 28–3853(a).

The changes are projected to become effective on May 19, 2020.