Requirements of the District’s Data Breach Notification Law

All fifty states and the District of Columbia require that companies notify consumers when they experience a breach of their customers’ personal information.  On March 26, the Mayor signed into law the Security Breach Protection Amendment Act of 2019.  The Act went into effect on June 8, 2020 and updates the District’s Consumer Security Breach Notification Act, D.C. Code § 28–3851, et al., in significant ways.  This page is intended to provide general information and resources to help businesses affected by the law understand their obligations.  Nothing here constitutes legal advice. The Office of the Attorney General (“OAG”) encourages businesses to seek any help and guidance necessary to ensure they are complying with the law.

What is a data breach?

A data breach is the unauthorized acquisition of electronic personal information. 

Data breaches can be the result of criminal cyber-activity, such as hacking or ransomware, or because of employee error, such as emailing information to the wrong person.

There are exceptions to this rule.  No breach occurs under the law if the personal information has been rendered secure (e.g., through encryption or redaction) and unusable by a third-party.  Likewise, no breach occurs if the company affected concludes, after consulting the relevant authorities, that the unauthorized acquisition is unlikely to result in harm to consumers. A company must consult with OAG before concluding that consumer harm is unlikely.

What is personal information?

The Act expands the kinds of personal information covered by the District’s data breach notification law.  The law now covers a person’s first name or first initial and last name, phone number, address, or any other personal identifier, and any one of the following:

• social security number;
• driver’s license number or District of Columbia Identification Card number;
• credit card number or debit card number;
• any other number, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account;
• passport number;
• taxpayer identification number;
• military ID number;
• medical information;
• biometric data;
• genetic information and DNA profiles; or
• health insurance information

In addition, the law covers any combination of the above elements that would enable a person to commit identity theft.

When must my company report a breach?

A company must notify both consumers and OAG in the most expedient time possible and without unreasonable delay. When a delay occurs due to obtaining information about affected consumers (such as contact information), an entity need not, and should not, wait until it contacts affected consumers to report the breach to the Attorney General.

How should my company notify consumers of a breach?

Under the Act, the notice to consumers must include:

• To the extent possible, a description of the categories of information that were subject to the breach;
• Contact information for the company making the notification;
• The toll-free telephone numbers and addresses for the major consumer reporting agencies;
• A statement explaining the right to obtain a security freeze free of charge under federal law and information on how a resident may request a security freeze; and
• Contact information for the Federal Trade Commission and OAG. 

How should my company notify the Attorney General of a breach?

To report a breach to OAG, please email databreach@dc.gov. Under the Act, the notice to OAG must include:

• The name and contact information of the person or entity reporting the breach;
• The name and contact information of the person or entity that experienced the breach;
• The nature of the breach of the security of the system;
• The types of personal information compromised by the breach;
• The number of District residents affected by the breach;
• The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known;
• Remedial action taken by the person or entity including steps taken to assist District residents affected by the breach;
• The date and time frame of the breach, if known;
• Address and location of corporate headquarters, if outside of the District;
• Any knowledge of foreign country involvement; and
• A sample of the notice to be provided to District residents.

If you would like to discuss a data security breach or security event that has or may trigger breach notification to District residents, please email databreach@dc.gov or contact OAG’s Office of Consumer Protection at 202-442-9828.

What other obligations does my company have under the law?

In the case of a breach involving social security or tax identification numbers, a company is obligated to provide affected consumers with 18 months of free identity theft prevention services.

More broadly, any person or entity that owns, licenses, maintains, handles or otherwise possesses personal information of District residents must implement and maintain reasonable security safeguards.  What is reasonable depends in part on the size of the entity and the sensitivity of the information involved.

Additional resources

The Federal Trade Commission has resources for small businesses to ensure that they are taking appropriate precautions against cyber-attacks: https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity.