On March 26, 2020, the District of Colombia enacted Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” Acting as an amendment of Section 28 of Chapter 38 of the District of Columbia Code, the Act: (1) expands the definition of “personal information,” (2) amends breach notification requirements, (3) adds new security requirements; and (4) expands the Act’s enforcement.
1. Definition of “Personal Information”
Under the Act, “personal information” now includes an individual’s name combined with one of the following data elements:
- Social Security number;
- Individual tax identification number;
- Passport number;
- Driver’s license number;
- D.C. identification card number;
- Military identification number;
- Other unique identification number on a government-issued document;
- Financial account number or any other code or combination of numbers that allows access to or use of an individual’s financial or credit account;
- Medical information;
- Genetic information and DNA profile;
- Health insurance information;
- Biometric data; and
- Any combination of data elements that would enable a person to commit identity theft without an individual’s name.
2. Breach Notification Requirements
The Act creates new contents for individual breach notifications. The notice must include:
- A description of the categories of information that were, or are reasonably believed to have been, acquired by an authorized person, including the elements of personal information;
- Contact information for the person or entity making the notification, including business address, telephone number, and toll-free telephone number if one is maintained;
- Toll-free telephone numbers and addresses for the major consumer reporting agencies, including a statement notifying the resident of the right to obtain a security freeze;
- Toll-free telephone numbers, addresses, and websites for the Federal Trade Commission and the Office of the Attorney General for the District of Columbia, including steps to take to avoid identity theft;
- Offer theft prevention services at no cost for at least 18 months if a breach results in the release of a Social Security number or tax identification number of a District resident;
- Notice in electronic format or other format that directs the person to their password and security question or answer, as applicable, if the breach only affected an online account.
Further, written notice of a breach must be given to the Office of the Attorney General for the District of Columbia if the breach affects 50 or more District residents. The written notice shall be made in the most expedient manner possible and without unreasonable delay, and shall include the following:
- The name and contact information of the person or entity reporting the breach;
- The name and contact information of the person or entity that experienced the breach;
- The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach;
- The types of personal information compromised by the breach;
- The number of District residents affected by the breach;
- The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known;
- The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach;
- The date and time frame of the breach, if known;
- The address and location of corporate headquarters, if outside of the District;
- Any knowledge of foreign country involvement; and
- A sample of the notice to be provided to District residents.
3. Security Requirements
The Act requires any person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of District residents to implement and maintain reasonable security safeguards. A person or entity that uses a nonaffiliated third party service provider that owns, licenses, maintains, handles, or otherwise possesses personal information of a District resident must have a written agreement with the third party requiring the third party to implement and maintain reasonable security procedures and practices.
A violation of the Act constitutes an unfair or deceptive trade practice. As such, the Attorney General for the District of Columbia has enforcement authority under the Consumer Protection Procedures Act.
The Act maintains the previously existing private cause of action for data breaches. Penalties may include treble damages or $1,500 per violation, whichever is greater, or actual damages. Also, an entity that suffers a data breach that exposes a District resident’s social security or tax identification number must offer to each such resident identity theft protection services at no cost to such District resident for a period of not less than 18 months.
The District of Columbia’s new law adds to the complexity that companies operating across state lines must consider. Given the District’s status as the nation’s capital means that a violation of the Act may implicate federal laws or regulations, or vice versa. For example, a contractor that fails to safeguard personally identifiable information pursuant to DFARS 252.204-7012 could conceivably also violate this new Act and subject itself to private causes of action and civil penalties.
Companies are encouraged to implement their data breach prevention and procedures to ensure compliance with the new District of Columbia Act.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.