QUICK FACTS
- For breaches involving more than 1,000 consumers, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
- Each failure to provide a District of Columbia resident with notification of a breach constitutes a separate violation.
- For violations of the breach laws, a civil action may be brought and the Attorney General may bring an action resulting in a civil penalty up to $100 for reach violation, the costs of the action, and reasonable attorney’s fees.
- Penalties resulting from violations involving use of consumer identification information include actions to recover actual damages or $500, whichever is greater, and for injunctive relief, which may include the award of reasonable attorney’s fees and court costs.
- Civil and criminal penalties can result from violations of unlawful use or disclosure of health and human services information in a manner not authorized by law.
- Additional requirements may be associated with digital student data and health information.
- If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
- If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
STATUTES AND LAWS
- D.C. CODE §§ 28-3851 – 3853 CONSUMER SECURITY BREACH NOTIFICATION
- D.C. CODE §§ 47-3151 – 3154 USE OF CONSUMER IDENTIFICATION INFORMATION
- D.C. CODE §§ 38-831.01 – 38-831.06 PROTECTION OF STUDENTS DIGITAL PRIVACY
- D.C. CODE §§ 7-241 – 7-248 HUMAN HEALTH CARE AND SAFETY/DATA SHARING
- D.C. CODE § 38-607 STUDENT HEALTH FILES
