Skip to main content
Top Button
D.C. Data Breach Notification Law Adds More Stringent Notification Requirement D.C. Data Breach Notification Law Adds More Stringent Notification Requirement

D.C. Data Breach Notification Law Adds More Stringent Notification Requirement

Businesses operating in the District of Columbia (“D.C.” or the “District”) should review their information security and data privacy practices to ensure they take into account the implementation of the Security Breach Protection Amendment Act of 2019 (the “Law”). Signed by D.C. Mayor Muriel Bowser on March 26, 2020, the Law significantly overhauls D.C.’s existing data breach notification law enacted in 2007. The Law now moves to a 30-day congressional review period, where it is expected to be approved.

The Law will significantly expand the scope of the District’s approach to data breach notifications, which in the past covered only four categories of personal information and gave the D.C. Attorney General limited enforcement authority. The Law enhances D.C.’s data breach notification law into one of the United States’ more stringent breach notification laws.

Given the national-level attention that would come from breaches involving the District and the District’s proximity to the federal government and strong media sector, a data breach that triggers the new requirements is likely to involve significant public dimensions that often present particular challenges for the business that suffered the breach. Below is a summary of some of the major changes made by the Law.

Personal Information Definition Expanded

A significantly broader definition of “personal information” now includes a number of new data elements, thereby becoming one of the more encompassing definitions in the United States. The new data elements include:

  • identifiers such as taxpayer identification number, passport number, military identification number, and other unique identification numbers issued on a government document;
  • financial account number or any other combination of numbers or codes that may allow access to an individual’s financial or credit accounts;
  • medical information, health insurance information, biometric data, genetic information, and DNA profile; and
  • username or email address in combination with any authenticators necessary to access a person’s account.

Notably, the Law includes a broad catch-all provision that extends to cover any combination of enumerated data elements that would enable a person to commit identity theft (even without the individual’s first and last name) as qualifying “personal information.”

Content Requirements for Individual Breach Notification Notices

The Law creates new content requirements for individual breach notification notices. Some of the content requirements for the notices include: the types of data elements compromised; the contact information for the entity reporting the breach; and toll-free numbers for credit reporting agencies, the FTC, and the D.C. Attorney General.

Mandatory Breach Notification to the D.C. Attorney General

The Law requires that any qualifying data breach be reported to the D.C. Attorney General. Specifically, the D.C. Attorney General must be notified in the event of a data breach affecting 50 or more D.C. residents. Notice must be made in the “most expedient manner possible, without unreasonable delay, but in no event later than when notice is provided” to affected D.C. residents. The Law also includes specific content requirements for Attorney General notices. Some of the content requirements include:

  • the nature of the data breach;
  • types of personal information compromised;
  • the number of D.C. residents affected;
  • the cause of the data breach;
  • remedial steps taken; and
  • a sample of the notice sent to affected D.C. residents.

Security Requirements for Businesses and Service Providers

Most notably, the Law creates new security requirements for entities. Specifically, it requires any entity that handles the personal information of D.C. residents to “implement and maintain reasonable security safeguards” to protect personal information. However, the Law does not define what constitutes “reasonable security safeguards.” In addition, the Law requires entities that use third-party service providers to process the personal information of DC residents to have a written agreement in place requiring the service provider to “implement and maintain reasonable security procedures and practices.”

Remedies and Enforcement

Like a handful of other states, the Law requires entities that experience a data breach to offer complimentary credit monitoring to affected individuals in certain circumstances. The Law states that in the event an entity experiences a data breach that includes social security numbers or taxpayer identification numbers, the entity must provide those affected D.C. residents with identity theft protection services at no cost for a period of at least 18 months.

Related to enforcement, the D.C. Attorney General has been granted rulemaking authority to implement the notification section of the Law. The D.C. Attorney General has also been granted enforcement authority under the D.C. Consumer Protection Procedures Act since violations of the Law are categorized as “unfair or deceptive trade practices.”


Data breaches can happen at any time and it’s important that businesses have a plan in place to address such incidents. Businesses should consider developing an incident response plan or updating their respective incident response plans in order to comply with the Law. Ice Miller has the professionals and experience to assist businesses with data breach response and interfacing with state and federal regulators in the event of a data breach. If you would like to speak to a professional, please contact Guillermo Christensen. Guillermo, a former CIA intelligence officer and a diplomat with the U.S. Department of State, is a partner in Ice Miller’s Data Security and Privacy and White Collar Defense Practices. 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized