Washington, D.C. amended its data breach notification law (D.C. Act 23-268) on March 26, 2020, expanding the definition of personal information covered by the law and requiring businesses collecting data from D.C. residents to implement “reasonable security safeguards.” Because D.C. law already provides a private right of action for violations of the data breach law, the updates will enable lawsuits in the event that an entity fails to meet the “reasonable security” standard—though recovery is limited to actual damages.
Personal information covered by the law was previously limited to first name or initial and last name in combination with a sensitive identifying number (Social Security number, driver’s license or D.C. identification card number, or credit or debit card number), or numbers or codes that would allow access to an individual’s financial or credit account. DC Code § 28–3851(3).
The new law adds first name or initial and last name plus medical information, genetic information and DNA profile, health insurance information, and biometric information to the definition, or any listed data element without name if it would allow a person to commit identity theft. The law also now covers a user name or email in combination with authentication data that would permit access to an individual’s email account.