Share this article on:
On May 19, 2020, legislative changes to the Washington D.C. data breach notification law took effect. The changes were introduced in March and significantly updated existing breach notification requirements. There has been a major expansion of data classified as personal information that warrants breach notifications if subjected to unauthorized access and new data security requirements have been introduced.
Prior to the change, notifications were required if personal information such as names, phone numbers, and addresses were exposed in combination with a Social Security number, driver’s license number, DC ID card, or credit/debit card number or if numbers and codes were breached that allowed credit or finance accounts to be accessed.
The change has seen several other data elements added to the list. Breach notifications are now required if any of the following data is breached, even in the absence of a name if the data could be used for identity theft:
- Medical information
- Health insurance information
- Genetic data and DNA profiles
- Biometric information
- Passport numbers
- Usernames or email addresses in combination with a password or security questions and answers that would allow the account to be accessed
- Taxpayer ID numbers
- Military ID numbers
- Other unique government-issued ID numbers
The D.C. Attorney General’s office must be notified in the event of a breach involving the data of more than 50 D.C. residents, and notifications must be issued without unreasonable delay in the most expedient manner possible. As is the case in states such as California, there are now content requirements for breach notifications.
It is also now mandatory for the breached entity to offer a minimum of 18 months of complementary identity theft protection services to breach victims if a Social Security number or taxpayer ID number has been breached.
The update also calls for all businesses that collect, maintain, or process the personal information of D.C. residents to implement and maintain reasonable safeguards to secure personal information. The policies, procedures, and practices should reflect the nature and size of the entity. In cases where the entity works with third-party service providers, they must enter into a service agreement with the covered entity confirming they too will implement reasonable safeguards to ensure the confidentiality, integrity, and availability of personal information provided to them.
Breach notifications are not required if encrypted data is breached unless it can be decrypted, and neither if the breached entity determines, in conjunction with the D.C. Attorney General, that there is a low risk of harm.
HIPAA-covered entities in compliance with the HIPAA Breach Notification Rule are deemed to be compliant with the breach notification requirements of the updated law but are still required to notify the D.C. Attorney General about a data breach. The same applies to entities that are subject to and compliant with GLBA.