DC Attorney General, Karl Racine, Reintroduces Data Breach Legislation – March 21, 2019

DC Attorney General introduces legislation enhancing data security and expanding reporting requirements against data breaches.

The DC Office of the Attorney General reintroduced the Security Breach Protection Amendment Act. A similar bill was first introduced in Council Period 22 in part as the AG’s response to the 2017 Equifax data breach that affected 350,000 District residents. The bill was referred to the DC Council ‘s Committee of the Whole. The Committee never acted on the bill and it essentially “died” due to lack of activity, requiring Attorney General Racine to reintroduce it.

The 2019 version aims to expand and update the District’s existing identity theft and data laws essentially bolstering the District’s ability to hold companies who do not protect the consumer data they collect, responsible. The measure has been referred to the DC Council’s Committee of the Whole. A hearing has not been scheduled but we will monitor the bill and provide updates. A summary of the bill is included below as well as a link to access the entire document.

B23-0215 – Security Breach Protection Amendment Act of 2019

The bill will amend Title 28, Chapter 38, Subchapter II of the DC Code to strengthen the protection for personal information released to unauthorized people because of a breach of the security of a computer system. Specifically, the bill aims to:

  • update and expand the definition of personal information to include additional information including passport number, tax ID number, military ID number, health information, biometric data, genetic information and DNA profiles, and health insurance information;
  • insert specific requirements for the content of the notification to consumers whose personal information has been compromised to include a statement informing residents of the right to obtain a security freeze at no cost (pursuant to federal law) and information on how a resident may request a security freeze, and where appropriate the right to ID theft prevention services;
  • require written notice of the breach to be submitted to the DC  Office of the Attorney General;
  • require persons, entities that own, license, or otherwise possess personal information to implement and maintain reasonable security procedures and practices;
  • add a requirement that in case of a social security number breach, the company must provide 2 years of identity theft protection services, and
  • make violation of the data breach law a violation of the Consumer Protection Procedures Act (CPPA).

Introduction Date: Mar 21, 2019
Introduced by: Chairman Mendelson at the request of the Attorney General
Committee Referral: Committee of the Whole with comments from the Committee on Judiciary and Public Safety