Karl Racine, the first elected Attorney General for the District of Columbia, will likely be more of a factor when responding to data breaches in light of a new Washington, D.C. law, which passed at the end of March. Slated to take effect by June 12, 2020, the new Security Breach Protection Amendment Act of 2019 requires entities to maintain “reasonable security safeguards,” significantly expands the definition of “personal information,” imposes new requirements to notify the Attorney General’s Office, and mandates 18 months of free credit monitoring for breaches involving social security or tax identification number.
New “Reasonable Security Safeguards” Requirements
With its new law, D.C. joins the ranks of states that obligate entities to implement and maintain “reasonable security safeguards” to protect personal information. The law does not set forth specifics, but requires procedures and practices that are appropriate in light of the nature of the personal information and the nature and size of the organization. An entity’s third-party service providers must also be required by written agreement to implement appropriate security safeguards to protect personal information disclosed to them.
Entities subject to and in compliance with the security requirements of the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability Act of 1996 (“HIPAA”) or the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) are deemed to be in compliance with these security requirements.
Mandatory Credit Monitoring
The new law requires organizations to offer free identity theft protection services for at least 18 months to D.C. residents whose social security number or tax identification number was involved in a breach. With this move, D.C. joins the handful of states that require provision of these services.
“Personal Information” Expanded
The new law expands the list of individual data elements that constitute “personal information” when acquired with an individual’s name, adding:
- Individual taxpayer identification number, passport number, military identification number, or other unique identification number issued on a government document;
- Account number or any other number or code or combination of numbers or codes that allows access to or use of an individual’s financial or credit account;
- Medical information;
- Genetic information and DNA profile;
- Health insurance information;
- Biometric data.
The definition of “personal information” is further expanded to include the following, even when acquired without an individual’s name:
- Any combination of data elements that would enable a person to commit identity theft; or
- A user name or e-mail address in combination with a password, security question and answer, or any combination of data elements that permits access to an individual’s e-mail account.
Amended Individual Notice Requirements
The new D.C. law adds a new, but challenging, risk of harm exemption. Notice is not required if the entity “reasonably determines” that the breach “will likely not result in harm to the individual.” The entity, however, can reach this determination only after three steps: (1) “a reasonable investigation, (2) consultation with the Office of the Attorney General for the District of Columbia and (3) consultation with federal law enforcement agencies. Some entities will no doubt find these consultation steps to be sufficiently chilling that they will instead issue notices in marginal circumstances.
As it exists currently, D.C.’s data breach law is silent on requirements for the contents of individual breach notices. Starting in June, however, individual notice must include:
- A description of the categories and elements of information acquired;
- The entity’s contact information;
- Contact information for the major consumer reporting agencies, and information about obtaining a free security freeze; and
- Contact information for the FTC and D.C. Attorney General, and a statement that these sources can provide information about avoiding identity theft.
New Attorney General Notification Requirements
The new law requires entities to notify the D.C. Attorney General of all but the smallest breaches involving less than 50 residents. The notice must be given in writing, no later than the individual resident notices, and must include:
- The reporting entity’s name and contact information;
- The name and contact information of the entity that experienced the breach;
- The nature of the breach;
- The types of personal information compromised;
- The number of D.C. residents affected;
- The cause of the breach, including the relationship between the entity and the person responsible for the breach, if known;
- Remediation actions and steps taken to assist affected residents;
- The date and time frame of the breach, if known;
- The address and location of the entity’s corporate headquarters, if outside D.C.; and
- A sample of the notice letter provided to residents.
Currently, entities that follow the breach notification procedures of the GLBA are exempt from the statute’s individual notification requirements. The new law similarly exempts entities that comply with the breach notification requirements of HIPAA or the HITECH Act. Nevertheless, such entities must still provide written notice of the breach to the D.C. Attorney General.
The new law significantly changes the risks and requirements an organization must consider in deciding whether to notify individuals when it experiences a breach affecting D.C. residents.
The introduction of data security requirements creates a new source of potential liability for organizations that handle personal information, and re-emphasizes the need for organizations to periodically review and update their security practices. Separate and apart from breach response considerations, organizations must review their security practices and procedures for handling personal information in light of these new “reasonable security safeguards” obligations. A growing number of state laws impose similar requirements, such as New York’s SHIELD Act, which came into full force in March of this year.
Organizations should take note of the broadly expanded definition of “personal information” when determining whether a breach has occurred and will likely be required to notify both individuals and the Attorney General, unless the breach involves less than 50 people. Additionally, when social security numbers or taxpayer identification numbers are involved in a breach, organizations must be prepared to provide free credit monitoring services, joining a number of states that now expressly require credit monitoring services where notifications are required as a result of certain breaches.
Although the D.C. law does not set a new high-water mark for data security, it does certainly signal that Karl Racine, the current D.C. Attorney General, wants to take a more aggressive role in forcing organizations to protect consumer data and investigating circumstances when those protections are breached.