Stricter Breach Notification Laws Proposed by D.C. Attorney General

Washington D.C. Attorney General Karl A. Racine wants to reinforce data breach notification regulations to give D.C. residents increased protection in case their personal data is compromised in a data breach.

Attorney General Racine presented the Security Breach Protection Amendment Act on March 21, 2019. This bill offers an expanded definition of personal information that warrants the sending of notifications to consumers when there is a data breach.

At present, laws in the District of Columbia necessitate the sending of breach notifications if there is a breach of driver’s license numbers, Social Security numbers or financial details, including debit and credit card numbers.

If the Security Breach Protection Amendment Act is passed, the definition of personal information will also include taxpayer ID numbers, genetic data such as DNA profiles, biometric data, military Identification data, passport numbers, and health insurance details.

According to Attorney General Racine, one of the primary reasons why the update is necessary is to better shield state residents from data breaches just like the one encountered by Equifax. That breach impacted 143 million people around the world including 350,000 D.C. residents.

The Security Breach Protection Amendment Act will compel companies that gather, own, license, manage, or otherwise maintain the ‘personal information’ of District of Columbia residents to employ safety measures to make sure personal data stays private and confidential.

The Security Breach Protection Amendment Act additionally necessitates companies make clear to consumers what types of information have been breached and what consumers need to do to protect their identities. They must also advise consumers of their rights, including the right to place a security freeze on their accounts at no cost.

If Social Security numbers are compromised in a data breach, companies need to provide at least two years registration to identity theft protection services for free. Also, the D.C. attorney general should be notified about a breach of personal data, though there is no mention of the timescale for doing so in the bill.

Failure to follow the Security Breach Protection Amendment Act will be regarded as a violation of the D.C. Consumer Protection Procedures Act. Violators could face a considerable financial penalty.

This is the second time that Attorney General Racine has tried to raise consumer protections for data breached. The bill he introduced in 2017 failed the approval process by the D.C Council.

The Mayor and D.C. Council must first approve the Security Breach Protection Amendment Act before it is passed to Congress, which will complete its review in 30 days.