The Catholic University of America

Summary of District of Columbia Laws

Miscellaneous Laws

Consumer Personal Information Security Breach Notification Act of 2006

The Law: This law, effective July 1, 2007, amends Title 28 of the DC Code to ensure that consumers are notified when electronically stored personal information is compromised. The law also creates a private right of action, and provides for enforcement by the Attorney General.

Definitions:

Personal information means:

(i) An individual's first name or first initial and last name, or phone number, or address, and any one or more of the following data elements:

(I) Social security number;

(II) Driver's license number or District of Columbia Identification Card number; or

(III) Credit card number or debit card number; or

"(ii) Any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual's financial or credit account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Breach of the security of the system means unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. The term "breach of the security system" shall not include a good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business if the personal information is not used improperly or subject to further unauthorized disclosure. Acquisition of data that has been rendered secure, so as to be unusable by an unauthorized third party, shall not be deemed to be a breach of the security of the system.

Notification Required:

Any entity (or person) who conducts business in DC who, in the course of business owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of security in the system, shall promptly notify any DC resident whose personal information was included in the breach.

How: Notification can be accomplished by written notice, electronic notice where the consumer has consented to same under ESIGN, or substitute notice as defined in the text of the law below.

When: Notification shall be made in the most expedient time possible without unreasonable delay, consistent with legitimate needs of law enforcement, and with measures necessary to determine scope of breach and to restore integrity.

Who: Any DC resident whose personal information was included in the breach. In addition to those DC residents affected by breach, if more than 1000 persons are required to be notified, all consumer reporting agencies as defined in §1681a (p) of the Fair Credit Reporting Act. (The notice to consumer agencies does not apply if the entity must already report to same under the Privacy provisions of Gramm Leach Bliley.)

Exception: If the entity has its own information security policy or procedure that requires notification consistent with this law, then that procedure may be invoked in place of this law. If the entity mainly communicates by email as the primary method of communication, then email may be used for purposes of notification.

Penalties for Non-Compliance
DC residents may injured by a breach may institute civil actions to recover actual damages, costs of the action and reasonable attorneys fees. The AG may petition for injunctive relief and for an award of restitution for property lost or damages suffered by DC residents. The AG may also recover a civil penalty not to exceed $100 for each violation, the costs fo the action, and attorneys' fees. Each failure to provide a resident with notice shall constitute a separate violation.

Full Text of Law

D.C. ACT 16-593

IN THE COUNCIL OF THE DISTRICT OF COLUMBIA

DECEMBER 28, 2006

To amend Title 28 of the District of Columbia Official Code to ensure that consumers are notified when electronically-stored personal information is compromised in a way that increases the risk of identity theft, to create a private right of action for consumers harmed by a violation of the notification requirement, and to provide for enforcement by the Attorney General.

BE IT ENACTED BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this act may be cited as the "Consumer Personal Information Security Breach Notification Act of 2006".

Sec. 2. Title 28 of the District of Columbia Official Code is amended as follows:

(a) The table of contents for Chapter 38 is amended to read as follows:

"CHAPTER 38. CONSUMER PROTECTIONS.

"Subchapter I. General.

"Sec.
"28-3801. Scope--Limitation on agreements and practices.
"28-3802. Definitions.
"28-3803. Balloon payments.
"28-3804. Assignment of earnings and authorization to confess judgment prohibited.
"28-3805. Debts secured by cross-collateral.
"28-3806. Attorney's fees.
"28-3807. Negotiable instruments prohibited.
"28-3808. Assignees subject to defenses.
"28-3809. Lender subject to defenses arising from sales.
"28-3810. Referral sales.
"28-3811. Home solicitation sales.
"28-3812. Limitation on creditors' remedies.
"28-3813. Consumers' remedies.
"28-3814. Debt collection.
"28-3815. Administrative enforcement.
"28-3816. Inconsistent laws: What law governs.
"28-3817. Health spa sales.
"28-3818. Layaway plans.
"28-3819. Rental housing locators.

"Subchapter II. Consumer Personal Information Security Breach Notification.
"§ 28-3851. Definitions. [*394]
"§ 28-3852. Notification of security breach.
"§ 28-3853. Enforcement.".

(b) The existing sections 38-3801 through 38-3819 are designated as "Subchapter I. General.".

(c) A new subchapter II is added to read as follows:

"Subchapter II. Consumer Security Breach Notification.

"§ 28-3851. Definitions.

"For purposes of this subchapter, the term:

"(1) "Breach of the security of the system" means unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. The term "breach of the security system" shall not include a good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business if the personal information is not used improperly or subject to further unauthorized disclosure. Acquisition of data that has been rendered secure, so as to be unusable by an unauthorized third party, shall not be deemed to be a breach of the security of the system.

"(2) "Notify" or "notification" means providing information through any of the following methods:

"(A) Written notice;

"(B) Electronic notice, if the customer has consented to receipt of electronic notice consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act, approved June 30, 2000 (114 Stat. 641; 15 U.S.C.S. § 7001); or

"(C)(i) Substitute notice, if the person or business demonstrates that the cost of providing notice to persons subject to this subchapter would exceed $ 50,000, that the number of persons to receive notice under this subchapter exceeds 100,000, or that the person or business does not have sufficient contact information.

"(ii) Substitute notice shall consist of all of the following:

"(I) E-mail notice when the person or business has an e-mail address for the subject persons;

"(II) Conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; and

"(III) Notice to major local and, if applicable, national media.

"(3)(A) "Personal information" means:

"(i) An individual's first name or first initial and last name, or phone number, or address, and any one or more of the following data elements:

"(I) Social security number;

"(II) Driver's license number or District of Columbia Identification Card number; or

"(III) Credit card number or debit card number; or

"(ii) Any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual's financial or credit account.

"(B) For purposes of this paragraph, the term "personal information" shall not include publicly available information that is lawfully made available to the general [*395] public from federal, state, or local government records.

"§ 28-3852. Notification of security breach.

"(a) Any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any District of Columbia resident whose personal information was included in the breach. The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (d) of this section, and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

"(b) Any person or entity who maintains, handles, or otherwise possesses computerized or other electronic data that includes personal information that the person or entity does not own shall notify the owner or licensee of the information of any breach of the security of the system in the most expedient time possible following discovery.

"(c) If any person or entity is required by subsection (a) or (b) of this section to notify more than 1,000 persons of a breach of security pursuant to this subsection, the person shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by section 603(p) of the Fair Credit Reporting Act, approved October 26, 1970 (84 Stat. 1128; 15 U.S.C. § 1681a(p)), of the timing, distribution and content of the notices. Nothing in this subsection shall be construed to require the person to provide to the consumer reporting agency the names or other personal identifying information of breach notice recipients. This subsection shall not apply to a person or entity who is required to notify consumer reporting agencies of a breach pursuant to Title V of the Gramm-Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15 U.S.C § 6801 et seq).

"(d) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation but shall be made as soon as possible after the law enforcement agency determines that the notification will not compromise the investigation.

"(e) Notwithstanding subsection (a) of this section, a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this subchapter shall be deemed to be in compliance with the notification requirements of this section if the person or business provides notice, in accordance with its policies, reasonably calculated to give actual notice to persons to whom notice is otherwise required to be given under this subchapter. Notice under this section may be given by electronic mail if the person or entity's primary method of communication with the resident is by electronic means.

"(f) A waiver of any provision of this subchapter shall be void and unenforceable.

"(g) A person or entity who maintains procedures for a breach notification system under Title V of the Gramm-Leach -Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15 U.S.C § 6801 et seq.) ("Act"), and provides notice in accordance with the Act, and any rules, regulations, guidance and guidelines thereto, to each affected resident in the event of a breach, shall be deemed to be in compliance with this section.

"§ 28-3853. Enforcement.
"(a) Any District of Columbia resident injured by a violation of this subchapter may institute a civil action to recover actual damages, the costs of the action, and reasonable attorney's fees. Actual damages shall not include dignitary damages, including pain and [*396] suffering.

"(b) The Attorney General may petition the Superior Court of the District of Columbia for temporary or permanent injunctive relief and for an award of restitution for property lost or damages suffered by District of Columbia residents as a consequence of the violation of this subchapter. In an action under this subsection, the Attorney General may recover a civil penalty not to exceed $ 100 for each violation, the costs of the action, and reasonable attorney's fees. Each failure to provide a District of Columbia resident with notification in accordance with this section shall constitute a separate violation.

"(c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.".

(d) Section 28-3911(b)(1) is amended by striking the phrase "sections 28-3909 and 28-3905(i)(4)" and inserting the phrase "sections 28-3853, 28-3909, and 28-3905(i)(4)" in its place.

Referance: See DC St 28-3851-53

Updated 7.19.16 K.S.C.