New Data Breach Notification Law In Washington D.C.

Statute § 28–3852., also known as the District of Columbia Data Breach Notification Law, is a data breach notification law that was originally passed in the U.S. federal district and capital city of Washington D.C. in 2007 and recently amended in 2020. Statute § 28–3852. Establishes the requirements for businesses and organizations operating within Washington D.C. in the event that said entities experience a data breach that leads to the unauthorized disclosure of personal information. Moreover, the law also sets forth the punishments that businesses and organizations within Washington D.C. stand to face should they fail to comply with the provisions laid out in the law.

How is a data breach defined under Statute § 28–3852?

Under Statute § 28–3852, a data breach is defined as the “unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.’ There are exceptions for ‘good-faith’ acquisition of personal information, acquisition of data rendered unusable by unauthorized third parties (unless the information may compromise security protection), and acquisition of personal data reasonably determined unlikely to result in harm to the individual after consultation with the AG’s Office.”

What are the requirements of businesses and organizations under Statute § 28–3852?

Statute § 28–3852 mandates that agencies, businesses, and organizations operating within Washington D.C. provide affected parties with data breach notices in the event of such an incident. These notices must include the following information:

• A description of the categories of personal information that were disclosed as a result of the breach.
• The specific contact information of the person or entity that has provided the notice.
• The specific contact information of all 3 major consumer credit reporting agencies within the U.S., as well as “a statement of the resident’s right to obtain a security freeze free of charge and how to request a security freeze.”
• Specific contact information for the Federal Trade Commission or FTC,  the Office of the Attorney General for the District of Columbia, as well as a “statement on how to obtain information from these sources on identity theft.”

What’s more, in accordance with amendments that were made to Statute § 28–3852. in 2020, businesses and organizations within Washington D.C. have to fulfill additional requirements in the event that they experience a data breach that affects more than 50 residents within the city. To this point, businesses and organizations within Washington D.C. must also provide notices containing the following information should they experience a data breach that affects more than 50 individuals:

• The name or contact information of the individual or entity who is reporting the data breach.
• The name or contact information of the individual or entity that experienced the data breach.
• The nature of the data breach.
• The categories of personal information that have been compromised as a result of the breach.
• The number of Washington D.C. residents that have been impacted by the data breach.
• The specific cause of the breach.
• Any remedial action that has been taken to address the breach.
• The specific date and the time frame during which the breach occurred.
• The address and location of a business or organization’s corporate headquarters, permitting said headquarters are located outside of Washington D.C.
• Any knowledge concerning foreign involvement in the data breach.
• A sample notice to all Washington D.C. residents.

What are the penalties for violating Statute § 28–3852.?

In terms of the enforcement of Statute § 28–3852, the law is enforced by both the Federal Trade Commission or the FTC and the Attorney General for the District of Columbia. As such, these entities have the authority to impose a number of sanctions and penalties against agencies, businesses, and organizations that fail to adhere to the provisions established in the law. To this end, as stated in Statute § 28–3852, “violations of the Breach Notification Law may be considered ‘unfair and deceptive trade practice[s]’ under DC law, subjecting entities to pay consumers treble damages or $1500 per violation, as well as actual damages.” Furthermore, “when a data breach is reasonably believed to include DC residents’ social security numbers or taxpayer-identification numbers, the breached entity must offer impacted DC residents identity theft protection at no cost for at least 18 months.”

Through the amendment of Statute § 28–3852, residents of the city of Washington D.C. are provided with an enhanced level of protection as it concerns data breaches and other related security incidents that lead to the unauthorized disclosure of personal information. As the provisions of the law mandate that businesses and organizations make further disclosures of information in the event that a data breach affects more than 50 residents within the city, citizens of the nation’s capital can rest assured that they will be provided with all the information they need to rectify their situation in the event that their personal information is improperly accessed as a result of a data breach.