QUICK FACTS

  • For breaches involving more than 1,000 consumers, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Each failure to provide a District of Columbia resident with notification of a breach constitutes a separate violation.
  • For violations of the breach laws, a civil action may be brought and the Attorney General may bring an action resulting in a civil penalty up to $100 for reach violation, the costs of the action, and reasonable attorney’s fees.
  • Penalties resulting from violations involving use of consumer identification information include actions to recover actual damages or $500, whichever is greater, and for injunctive relief, which may include the award of reasonable attorney’s fees and court costs.
  • Civil and criminal penalties can result from violations of unlawful use or disclosure of health and human services information in a manner not authorized by law.
  • Additional requirements may be associated with digital student data and health information.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.

STATUTES AND LAWS

  • District of Columbia Consumer Protection Procedures Act (CPPA): This law prohibits unfair and deceptive practices in trade or commerce, including the collection and use of personal information by businesses. It also provides for private rights of action for consumers who have been harmed by violations of the law.
  • District of Columbia Data Breach Notification Act: This law requires businesses to notify consumers if their personal information has been compromised in a security breach. It also requires businesses to implement and maintain reasonable security procedures to protect consumer data.
  • District of Columbia Security Breach Protection Amendment Act: This law requires businesses to implement and maintain reasonable security procedures to protect consumer data and to provide clear and conspicuous notice of their data collection and sharing practices.
  • District of Columbia Electronic Personal Information Protection Act: This law regulates the collection and use of personal information obtained through electronic commerce, such as online transactions. It requires businesses to provide clear and conspicuous notice of their data collection and sharing practices and obtain consent from consumers before collecting and sharing their personal information.
  • District of Columbia Medical Record Confidentiality Act: This law protects the privacy of medical records and requires healthcare providers and insurers to obtain patient consent before disclosing medical information to third parties.