Legislative Alert: D.C. Passes Security Breach Protection Amendment Act, Creating New Notice Requirements and Cybersecurity Safeguards

April 17, 2020 On March 26, 2020, District of Columbia Mayor Muriel Bowser signed into law Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” The Act, which amends section 28 of Chapter 38 of the District of Columbia Code, broadens the existing definition of “personal information,” increases the breach notice contents requirements, provides attorney general notice requirements, and mandates cybersecurity safeguards.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team 

On March 26, 2020, District of Columbia Mayor Muriel Bowser signed into law Act 23-268,  known as the “Security Breach Protection Amendment Act of 2020.” The Act, which amends section 28 of Chapter 38 of the District of Columbia Code, broadens the existing definition of “personal information,” increases the breach notice contents requirements, provides attorney general notice requirements, and mandates cybersecurity safeguards.  The Act will take effect after a 30-day congressional review and publication in the District of Columbia Register. This post provides a summary of the key details of this Act.  

Definition of Personal Information

The Act expands the definition of “personal information,” which previously included (when combined with an individual’s name) a Social Security number, driver’s license number, District of Columbia identification card number, a credit or debit card number alone, or any combination of numbers, codes, or passwords that allowed access to an individual’s financial account.

Following the passage of the Act, “personal information” now also includes the following data elements:

  • Taxpayer identification number;
  • Passport number;
  • Military identification number;
  • Other unique government issued identification numbers used to identify an individual;
  • Medical information;
  • Genetic information and DNA profile;
  • Health insurance information;
  • Biometric data; and
  • Any combination of data elements that would enable a person to commit identity theft without an individual’s name

New Breach Notification Requirements

The Act also amends the content requirements of data breach notifications to affected individuals by requiring that the notifications now include the following:

  • A description of the categories of information that were acquired, or that were reasonably believed to have been acquired;
  • Contact information for the person or entity issuing the notification, including business address, telephone number, and toll-free telephone number, if maintained;
  • Notification of a resident’s right to obtain a security freeze, including toll-free telephone numbers and addresses for the major consumer reporting agencies;
  • Toll-free telephone numbers, addresses, and websites for the Federal Trade Commission and the attorney general of the District of Columbia, including steps to take to avoid identity theft;
  • Offer of theft protection services at no cost for at least 18 months, if it is reasonably believed that a breach involved the Social Security number or tax identification number of a District resident;
  • Electronic notice directing a person to change their password and/or security question(s), if the breach only affected an online account.

If 50 or more District residents are affected by the breach, notification must be provided to the attorney general in the most expedient manner possible, without unreasonable delay, and in no event later than notice was provided to affected residents. The written notice must include:

  • The name and contact information of the person or entity reporting the breach;
  • The name and contact information of the person or entity that experienced the breach;
  • The nature of the breach;
  • The types of personal information compromised by the breach;
  • The number of District residents affected by the breach;
  • The cause of the breach;
  • Remediation actions taken, including steps to assist District residents;
  • The date and timeframe of the breach, if known;
  • Address and location of corporate headquarters, if outside of the District;
  • Any knowledge of foreign country involvement; and
  • A sample of the notice provided to District residents.

New Cybersecurity Safeguards

Finally, any person or entity that owns, licenses, maintains, handles, or otherwise possesses the personal information of District residents is required to implement and maintain reasonable information security safeguards, procedures, and practices appropriate to the nature of the personal information and to the nature and size of the entity.

If a person or entity uses a third party service provider that owns, licenses, maintains, handles, or otherwise possesses the personal information of District residents, then a written agreement to maintain reasonable security procedures and practices is required. 

When destroying records that contain personal information, a person or entity shall take reasonable steps to protect against the unauthorized access or use of those records.

For more information on this new law, contact the authors of this alert.