header image

DC Regulations

QUICK FACTS

  • For breaches involving more than 1,000 consumers, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Each failure to provide a District of Columbia resident with notification of a breach constitutes a separate violation.
  • For violations of the breach laws, a civil action may be brought and the Attorney General may bring an action resulting in a civil penalty up to $100 for reach violation, the costs of the action, and reasonable attorney’s fees.
  • Penalties resulting from violations involving use of consumer identification information include actions to recover actual damages or $500, whichever is greater, and for injunctive relief, which may include the award of reasonable attorney’s fees and court costs.
  • Civil and criminal penalties can result from violations of unlawful use or disclosure of health and human services information in a manner not authorized by law.
  • Additional requirements may be associated with digital student data and health information.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.

STATUTES AND LAWS

  • D.C. CODE §§ 28-3851 – 3853 CONSUMER SECURITY BREACH NOTIFICATION
  • D.C. CODE §§ 47-3151 – 3154 USE OF CONSUMER IDENTIFICATION INFORMATION
  • D.C. CODE §§ 38-831.01 – 38-831.06 PROTECTION OF STUDENTS DIGITAL PRIVACY
  • D.C. CODE §§ 7-241 – 7-248 HUMAN HEALTH CARE AND SAFETY/DATA SHARING
  • D.C. CODE § 38-607 STUDENT HEALTH FILES