Client Alert: Washington DC Increases Breach Response Requirements and Focuses on Data Security

A recent amendment to the District of Columbia’s data breach notification law (the “D.C. Breach Law”) highlights the nation’s increased focus on data security standards. Generally, the changes to the D.C. Breach Law fall into three categories: (1) expanding what is considered a reportable incident; (2) expanding the notification requirements for breaches; and (3) emphasizing proactive data security measures.

Expanding What is Considered a Reportable Incident

The amended D.C. Breach Law has broadened the definition of “personal information.”  A breach is an incident that compromises the security, confidentiality, or integrity of “personal information.” By including more types of information in the definition of “personal information,” there is an increased likelihood that a disclosure of information will be considered a breach.

Most state data breach laws consider “personal information” to be identifiers (such as a name) in combination with certain types of sensitive information (such as a social security number). In order for there to be a data breach, the exposed data must include both data that identifies individuals and sensitive data about the individuals. The updated D.C. Breach Law expands the types of information that are identifying information, expands the types of information that are sensitive data, and creates categories of sensitive information that do not need to be paired with identifying information in order to fall within the definition of “personal information.”

Instead of specifying the types of data that constitute an identifier, any data element that can be used to identify a person is considered identifying information. The list of sensitive information is expanded to include any unique identification number issued on a government document used to identify an individual, medical information, genetic information, health insurance information, and biometric information. Even if not linked to a person’s name, certain sensitive data, such as a social security number, is considered personal information if the sensitive data enables identity theft or if the information consists of credentials that would allow access to an individual’s email account.

Expanding the Notification Requirements for Breaches

The amended D.C. Breach Law requires additional information in an entity’s notice to affected individuals, notification to the D.C. Attorney General, and a careful analysis of the narrow exceptions in the D.C. Breach Law.

Under the D.C. Breach Law, an incident is not considered a breach if the incident is unlikely to result in harm to the affected individuals. However, unlike the analysis under most other state breach laws, this determination must be made in consultation with the Office of the Attorney General for the District of Columbia and federal law enforcement agencies.

When notice is necessary, similar to the requirements of other jurisdictions, the D.C. Breach law mandates that a notice to affected individuals provide details about the breach, the entity’s contact information, contact information for consumer reporting agencies, and contact information for the FTC and D.C. Office of the Attorney General.  Notice to the Office of the Attorney General for the District of Columbia is required if the breach affected 50 or more D.C. residents. Breached entities must include details about the breach in this notice.
If individuals’ social security numbers or taxpayer identification numbers are disclosed in a data breach, the breached entity must also provide affected individuals with at least 18 months of identity theft protection services and all information necessary to enroll in such services.

Under the amended D.C. Breach Law, a breach notification given pursuant to the Gramm-Leach -Bliley Act (“GLBA”) or the Health Insurance Portability Accountability Act (“HIPAA”) will satisfy the requirement to notify individuals. However, the breached entity will still be required to follow the D.C. Breach Law’s requirements for notifying the DC Office of the Attorney General. Regardless of whether an entity falls under HIPAA or GLBA, the entity must perform a breach analysis under the D.C. Breach Law to determine the full extent of its notification requirements.

Emphasizing Proactive Data Security Measures

The D.C. Breach Law emphasizes the importance of proactive security measures by creating an exception for the disclosure of data that was secured in a manner that makes the data unusable by unauthorized third parties. For example, acquisition of data by an unauthorized third party will not require notification if the disclosed data is “rendered secure.” This can be accomplished through the use of encryption or redaction of the data.

Further, the D.C. Breach Law now requires entities to implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation. This requires entities to proactively assess their current data security practices and assess whether they are reasonable in light of the entity’s nature and size. The law also specifies areas of an entity’s operations that should be assessed and addressed. For example, each entity should consider the threats that are anticipated in the entity’s operations, the security safeguards that the entity contractually requires its services providers to have in place, and its data destruction practices. In addition to this assessment, entities must also make sure that their service provider contracts include reasonable security requirements as required by the D.C. Breach Law. 
The amended D.C. Breach Law also potentially increases an entity’s exposure of liability from a breach by making violations of the D.C. Breach Law an unfair or deceptive trade practice with remedies including treble damages, or $1,500 per violation.

The amended D.C. Breach Law will likely increase the number of incidents that will be considered a breach, and requires entities to assess their current data security practices. The changes to the D.C. Breach Law are part of a national movement towards increased data security. Now more than ever entities need to assess how they are addressing data security and the effectiveness of their incident response plan.

If you have any questions about data security or data privacy, we are here to help.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.