WASHINGTON, D.C. – Attorney General Karl A. Racine today announced the introduction of the Security Breach Protection Amendment Act of 2019, which would modernize the District’s data breach law and strengthen protections for residents’ personal information. AG Racine has introduced this bill in response to major data breaches that have put tens of millions of consumers, and hundreds of thousands of District residents, at risk of identity theft and other types of fraud. The new legislation would expand legal protections to cover additional types of personal information, require companies that deal with personal information to implement safeguards, include additional reporting requirements for companies that suffer a data breach, and require companies that expose consumers’ social security numbers to offer two years of free identity theft protection.
“Data breaches and identify theft continue to pose major threats to District residents and consumers nationwide,” said AG Racine. “The District’s current data security law does not adequately protect residents. Today’s amendment will bolster the District’s ability to hold companies responsible when they collect and use vast amounts of consumer data and do not protect it. I urge the Council to pass this legislation quickly for the benefit of District residents.”
A data breach occurs when sensitive or confidential information is intentionally or accidentally released by a company or an individual. These releases of information may happen because of lax security or as a result of hacking or cyber attacks. Data breaches often result in the public disclosure of personally identifiable information like names, addresses, and phone numbers, or financial information, like bank and credit card details. Recent years have seen some of the largest and most serious data breaches in history, including the Equifax breach, which exposed the personal information of over 143 million people, including nearly 350,000 District residents.
The Security Breach Protection Amendment Act of 2019, reintroduced today in the D.C. Council, strengthens District law by:
- Holding companies accountable for safeguarding a broader range of private information: In addition to covering social security numbers, driver’s license numbers, and credit or debit card numbers, the new proposed definition for “personal information” would also require companies to protect passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information. This expanded definition takes into account new security and authentication practices and would better protect residents against identity theft.
- Creating security requirements for companies that handle personal information: The proposal requires companies that own, license, maintain, handle, or otherwise possess personal information to implement and maintain security safeguards against unauthorized access or use of data.
- Requiring companies to provide identity theft protection if they expose Social Security numbers: Companies that expose Social Security or tax identification numbers as part of a data breach would be required to provide affected District consumers with two years of free identity theft prevention services.
- Requiring companies to inform consumers of their rights when a data breach occurs: If a data breach occurs, companies would be required to inform consumers of their right under federal law to obtain a security freeze at no cost and information how to obtain such a freeze.
The legislation would also require companies to notify the Office of the Attorney General of any data breaches and would make a violation of the data breach law a violation of the District’s Consumer Protection Procedures Act.
A copy of AG Racine’s proposed bill is available at: https://oag.dc.gov/sites/default/files/2019-03/Security-Breach-Protection-Amendment-Act-of-2019.pdf
Protecting Your Personal Information
For information about steps you can take to protect your own sensitive and private information, visit OAG’s Consumer Protection Library . Learn more about how to protect yourself on social media .
How to File a Consumer Complaint
Consumers can report data theft, scams, and unlawful or abusive business practices by calling OAG’s Office of Consumer Protection at (202) 442-9828, emailing , or submitting a complaint online using OAG’s .