In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.
Key updates to D.C.’s new law include:
- Expansion of personal information
Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation. Currently, personal information is defined as (1) any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account, (2) or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements: Social Security Number; Driver license number or DC identification card number; or Credit card number or debit card number.
The amendment significantly expands the definition of personal information to include the following new data elements:
- Identifiers including taxpayer identification number, passport number, military identification number and other unique identification numbers issued on a government document;
- medical information;
- genetic information and DNA profile;
- health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer that permits access to an individual’s health and billing information;
- biometric data; and
- any combination of data elements listed above, that would enable a person to commit identity theft without reference to the individual’s name.
Personal information also includes “a user name or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements [listed above] that permits access an individual’s email account.”
- Notification to Attorney General
Notification to the Office of the Attorney General is now required for any breach affecting 50 or more D.C. residents. Notice must be provided in the “most expedient manner possible, without unreasonable delay, but in no event later than when notice is provided”. There are also several specific content requirements for notice to the Attorney General, including whether there is knowledge of any foreign country involvement.
- GLBA/HIPAA Exemption
The new law exempts entities subject to GLBA or HIPAA if those entities maintain breach notification procedures and provide notification as required under those law, as applicable. However those entities must still notify the Attorney General of any breach that requires notification by GLBA or HIPAA.
- Risk of Harm Threshold
If a person or entity reasonable determines, after reasonable investigation and consultation with the Office of the Attorney General and federal law enforcement agencies, that the breach likely will not result in harm to affected individuals, notice is not required.
- Free Mitigation Services for Affected Residents
D.C. joins California, Connecticut, Delaware and Massachusetts in requiring companies to provide identity theft protection or credit monitoring services to residents affected by a breach at no cost. The new D.C. law requires that a person or entity that experiences a breach that includes Social Security numbers and/or taxpayer identification numbers, must offer affected individuals at least 18 months of identity theft protection services at no cost.
Data Security Requirements
Finally, the new law, notably, establishes data security requirements for covered businesses. In short, any business that owns, licenses, maintains, handles or otherwise possesses personal information of D.C. residents must implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation. Further, covered entities must enter written agreements with their third party service providers requiring the service provider to implement and maintain similar security procedures and practices.
This amendment keeps Washington D.C. in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness. Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.