New Data Breach Notification Law in Washington D.C. Takes Effect

The Washington D.C. data breach notification law’s recent changes became effective on May 19, 2020 . The changes announced in March considerably updated present breach notification conditions. Because the classification of data as personal information had a substantial expansion, breach notifications are warranted when the said personal information are subjected to unauthorized access. In addition, there are new data security requirements.

Before the change, it is required to send notifications when a breach involved exposure of personal information like names, telephone numbers, and addresses combined with a driver’s license number, Social Security number, credit/debit card number or DC ID card, or if breached information included numbers and codes that would permit access to credit or finance accounts.

The change added to the list several other data elements. Now, it is required to send breach notifications in case of exposure of any of the data listed below, even if there’s no name but the information may be employed for identity theft:

      • Medical facts
      • Medical insurance data
      • Genetic information and DNA profiles
      • Biometric data
      • Usernames or email addresses combined with a password or security questions with answers that could permit account access
      • Passport numbers
      • Military ID numbers
      • Taxpayer ID numbers
      • Other unique ID numbers issued by the government

The D.C. Attorney General’s office should be informed in case of a breach that involves the information of over 50 D.C. residents. The breached entity must issue notifications without unreasonable delay as much as possible. Just like in the state of California, breach notifications are now required in connection with the compromise of the abovementioned information.

The breached entity should also provide free identity theft protection services for a minimum of 18 months to breach victims when their Social Security numbers or taxpayer ID numbers were exposed.

The update furthermore requires all businesses that gather, retain, or process the personal data of D.C. locals to employ and keep reasonable measures to protect personal data. The policies, procedures, and tactics must show the nature and capacity of the entity. In the event that the entity forms a partnership with third-party companies, there must be a service agreement between the two entities to confirm that the third party has reasonable safety standards to protect the confidentiality, availability and integrity of personal data accessed.

There is no need to send breach notifications if the breach involved encrypted data except if the same can be decrypted. Breach notifications are not necessary as well if the breached entity, together with the D.C. Attorney General, finds low risk of harm.

HIPAA-covered entities that comply with the HIPAA Breach Notification Rule are considered compliant with the new breach notification requirements. However, they still need to inform the D.C. Attorney General in case of a data breach. This also applies to entities covered by GLBA and complies with it.