DC Attorney General Introduces Legislation to Protect District Residents' Personal Data

March 28, 2019

Washington, D.C. Attorney General Karl A. Racine announced the Security Breach Protection Amendment Act of 2019, which would modernize the District’s data breach law and strengthen protections for residents’ personal information.

The new legislation would expand legal protections to cover additional types of personal information, require companies that deal with personal information to implement safeguards, include additional reporting requirements for companies that suffer a data breach, and require companies that expose consumers’ social security numbers to offer two years of free identity theft protection.

“Data breaches and identify theft continue to pose major threats to District residents and consumers nationwide,” said AG Racine. “The District’s current data security law does not adequately protect residents. Today’s amendment will bolster the District’s ability to hold companies responsible when they collect and use vast amounts of consumer data and do not protect it. I urge the Council to pass this legislation quickly for the benefit of District residents.”

The Security Breach Protection Amendment Act of 2019 strengthens District law by:

Holding companies accountable for safeguarding a broader range of private information: In addition to covering social security numbers, driver’s license numbers, and credit or debit card numbers, the new proposed definition for “personal information” would also require companies to protect passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information. This expanded definition takes into account new security and authentication practices and would better protect residents against identity theft.
Creating security requirements for companies that handle personal information: The proposal requires companies that own, license, maintain, handle, or otherwise possess personal information to implement and maintain security safeguards against unauthorized access or use of data.
Requiring companies to provide identity theft protection if they expose Social Security numbers: Companies that expose Social Security or tax identification numbers as part of a data breach would be required to provide affected District consumers with two years of free identity theft prevention services.
Requiring companies to inform consumers of their rights when a data breach occurs: If a data breach occurs, companies would be required to inform consumers of their right under federal law to obtain a security freeze at no cost and information how to obtain such a freeze.

The legislation would also require companies to notify the Office of the Attorney General of any data breaches and would make a violation of the data breach law a violation of the District’s Consumer Protection Procedures Act.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.