Code of the District of Columbia

Subchapter II. Consumer Security Breach Notification.


§ 28–3851. Definitions.

For purposes of this subchapter, the term:

(1)(A) "Breach of the security of the system" means unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.

(B) The term "breach of the security of the system" does not include:

(i) A good-faith acquisition of personal information by an employee or agency of the person or entity for the purposes of the person or entity if the personal information is not used improperly or subject to further unauthorized disclosure;

(ii) Acquisition of data that has been rendered secure, including through encryption or redaction of such data, so as to be unusable by an unauthorized third party unless any information obtained has the potential to compromise the effectiveness of the security protection preventing unauthorized access; or

(iii) Acquisition of personal information of an individual that the person or entity reasonably determines, after a reasonable investigation and consultation with the Office of the Attorney General for the District of Columbia and federal law enforcement agencies, will likely not result in harm to the individual.

(1A) "Genetic information" has the meaning ascribed to it under the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), approved August 21, 1996 (Pub. Law 104-191; 110 Stat. 1936), as specified in 45 C.F.R. § 106.103.

(1B) "Medical Information" means any information about a consumer's dental, medical, or mental health treatment or diagnosis by a health-care professional.

(2) “Notify” or “notification” means providing information through any of the following methods:

(A) Written notice;

(B) Electronic notice, if the customer has consented to receipt of electronic notice consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act, approved June 30, 2000 (114 Stat. 641; 15 U.S.C. § 7001); or

(C)(i) Substitute notice, if the person or entity demonstrates that the cost of providing notice to persons subject to this subchapter would exceed $50,000, that the number of persons to receive notice under this subchapter exceeds 100,000, or that the person or entity does not have sufficient contact information.

(ii) Substitute notice shall consist of all of the following:

(I) E-mail notice when the person or entity has an e-mail address for the subject persons;

(II) Conspicuous posting of the notice on the website page of the person or entity if the person or entity maintains one; and

(III) Notice to major local and, if applicable, national media.

(2A) "Person or entity" means an individual, firm, corporation, partnership, company, cooperative, association, trust, or any other organization, legal entity, or group of individuals. The term "person or entity" shall not include the District of Columbia government or any of its agencies or instrumentalities.

(3)(A) "Personal information" means:

(i) An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person's information:

(I) Social security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;

(II) Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account;

(III) Medical information;

(IV) Genetic information and deoxyribonucleic acid profile;

(V) Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information;

(VI) Biometric data of an individual generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that is used to uniquely authenticate the individual's identity when the individual accesses a system or account; or

(VII) Any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of this sub-subparagraph that would enable a person to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier.

(ii) A user name or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements included in sub-sub-subparagraphs (I) through (VI) of sub-subparagraph (i) that permits access to an individual's e-mail account.


(Mar. 8, 2007, D.C. Law 16-237, § 2(c), 54 DCR 393; June 17, 2020, D.C. Law 23-98, § 2(a)(3), 67 DCR 3923.)

Editor's Notes

Section 3 of D.C. Law 16-237 provided: “This act shall apply as of July 1, 2007.”


§ 28–3852. Notification of security breach.

(a) Any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any District of Columbia resident whose personal information was included in the breach. The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (d) of this section, and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(a-1) The notification required under subsection (a) of this section shall include:

(1) To the extent possible, a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including the elements of personal information that were, or are reasonably believed to have been, acquired;

(2) Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained;

(3) The toll-free telephone numbers and addresses for the major consumer reporting agencies, including a statement notifying the resident of the right to obtain a security freeze free of charge pursuant to 15 U.S.C. § 1681c-1 and information how a resident may request a security freeze; and

(4) The toll-free telephone numbers, addresses, and website addresses for the following entities, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft:

(A) The Federal Trade Commission; and

(B) The Office of the Attorney General for the District of Columbia.

(a-2) Notwithstanding subsection (a-1) of this section, in the case of a breach of the security of the system that only involves personal information as defined in § 28-3851(3)(A)(ii), the person or entity may comply with this section by providing the notification in electronic format or other form that directs the person to change the person's password and security question or answer, as applicable, or to take other steps appropriate to protect the e-mail account with the person or entity and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.

(b) Any person or entity who maintains, handles, or otherwise possesses computerized or other electronic data that includes personal information that the person or entity does not own shall notify the owner or licensee of the information of any breach of the security of the system in the most expedient time possible following discovery.

(b-1) In addition to giving the notification required under subsection (a) of this section, and subject to subsection (d) of this section, the person or entity required to give notice shall promptly provide written notice of the breach of the security of the system to the Office of the Attorney General for the District of Columbia if the breach affects 50 or more District residents. This notice shall be made in the most expedient manner possible, without unreasonable delay, and in no event later than when notice is provided under subsection (a) of this section. The written notice shall include:

(1) The name and contact information of the person or entity reporting the breach;

(2) The name and contact information of the person or entity that experienced the breach;

(3) The nature of the breach of the security of the system, including the name of the person or entity that experienced the breach;

(4) The types of personal information compromised by the breach;

(5) The number of District residents affected by the breach;

(6) The cause of the breach, including the relationship between the person or entity that experienced the breach and the person responsible for the breach, if known;

(7) The remedial action taken by the person or entity to include steps taken to assist District residents affected by the breach;

(8) The date and time frame of the breach, if known;

(9) The address and location of corporate headquarters, if outside of the District;

(10) Any knowledge of foreign country involvement; and

(11) A sample of the notice to be provided to District residents.

(b-2) The notice required under subsection (b-1) of this section shall not be delayed on the grounds that the total number of District residents affected by the breach has not yet been ascertained.

(c) If any person or entity is required by subsection (a) or (b) of this section to notify more than 1,000 persons of a breach of security pursuant to this subsection, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by section 603(p) of the Fair Credit Reporting Act, approved October 26, 1970 (84 Stat. 1128; 15 U.S.C. § 1681a(p)), of the timing, distribution and content of the notices. Nothing in this subsection shall be construed to require the person to provide to the consumer reporting agency the names or other personal identifying information of breach notice recipients. This subsection shall not apply to a person or entity who is required to notify consumer reporting agencies of a breach pursuant to Title V of the Gramm-Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15 U.S.C. § 6801 et seq[.]).

(d) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation but shall be made as soon as possible after the law enforcement agency determines that the notification will not compromise the investigation.

(e) [Repealed].

(f) A waiver of any provision of this subchapter shall be void and unenforceable.

(g) A person or entity that maintains procedures for a breach notification system under Title V of the Gramm-Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15 U.S.C. § 6801 et seq.), or the breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability Accountability Act of 1996, approved August 21, 1996 (Pub. L. No. 104-191; 110 Stat. 1936), or the Health Information Technology for Economic and Clinical Health Act, approved February 17, 2009 (Pub. L. No. 111-5; 123 Stat. 226), and provides notice in accordance with such Acts, and any rules, regulations, guidance and guidelines thereto, to each affected resident in the event of a breach, shall be deemed to be in compliance with this section with respect to the notification of residents whose personal information is included in the breach. The person or entity shall, in all cases, provide written notice of the breach of the security of the system to the Office of the Attorney General for the District of Columbia as required under subsection (b-1) of this section.


(Mar. 8, 2007, D.C. Law 16-237, § 2(c), 54 DCR 393; June 17, 2020, D.C. Law 23-98, § 2(a)(4), 67 DCR 3923.)


§ [28-3852.01]. Security requirements.

(a) To protect personal information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat, a person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of an individual residing in the District shall implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.

(b) A person or entity that uses a nonaffiliated third party as a service provider to perform services for a person or entity and discloses personal information about an individual residing in the District under a written agreement with the third party shall require by the agreement that the third party implement and maintain reasonable security procedures and practices that:

(1) Are appropriate to the nature of the personal information disclosed to the nonaffiliated third party; and

(2) Are reasonably designed to protect the personal information from unauthorized access, use, modification, and disclosure.

(c) When a person or entity is destroying records, including computerized or electronic records and devices containing computerized or electronic records, that contain personal information of a consumer, employee, or former employee of the person or entity, the person or entity shall take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account:

(1) The sensitivity of the records;

(2) The nature and size of the business and its operations;

(3) The costs and benefits of different destruction and sanitation methods; and

(4) Available technology.

(d) A person or entity who is subject to and in compliance with requirements for security procedures and practices contained in Title V of the Gramm-Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15 U.S.C. § 6801 et seq.), or the Health Insurance Portability Accountability Act of 1996, approved August 21, 1996 (Pub. L. No. 104-191; 110 Stat. 1936), or the Health Information Technology for Economic and Clinical Health Act, approved February 17, 2009 (Pub. L. No.111-5; 123 Stat. 226), and any rules, regulations, guidance and guidelines thereto, shall be deemed to be in compliance with this section.".


(June 17, 2020, D.C. Law 23-98, § 2(a)(5), 67 DCR 3923.)


§ [28-3852.02]. Remedies.

When a person or entity experiences a breach of the security of the system that requires notification under § 28-3852(a) or (b), and such breach includes or is reasonably believed to include a social security number or taxpayer identification number, the person or entity shall offer to each District resident whose social security number or tax identification number was released identity theft protection services at no cost to such District resident for a period of not less than 18 months. The person or entity that experienced the breach of the security of its system shall provide all information necessary for District residents to enroll in the services required under this section.


(June 17, 2020, D.C. Law 23-98, § 2(a)(5), 67 DCR 3923.)


§ [28-3852.03]. Rulemaking.

The Attorney General for the District of Columbia, pursuant to [Chapter 5 of Title 2], may issue rules to implement the notification provisions pursuant to § 28-3852(b-1).


(June 17, 2020, D.C. Law 23-98, § 2(a)(5), 67 DCR 3923.)


§ 28–3853. Enforcement.

(a) [Repealed].

(b) A violation of this subchapter, or any rule issued pursuant to the authority of this subchapter, is an unfair or deceptive trade practice pursuant to § 28-3904(kk).

(c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.


(Mar. 8, 2007, D.C. Law 16-237, § 2(c), 54 DCR 393; June 17, 2020, D.C. Law 23-98, § 2(a)(6), 67 DCR 3923.)