For breaches involving more than 1,000 consumers, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Each failure to provide a District of Columbia resident with notification of a breach constitutes a separate violation.
For violations of the breach laws, a civil action may be brought and the Attorney General may bring an action resulting in a civil penalty up to $100 for reach violation, the costs of the action, and reasonable attorney’s fees.
Penalties resulting from violations involving use of consumer identification information include actions to recover actual damages or $500, whichever is greater, and for injunctive relief, which may include the award of reasonable attorney’s fees and court costs.
Civil and criminal penalties can result from violations of unlawful use or disclosure of health and human services information in a manner not authorized by law.
Additional requirements may be associated with digital student data and health information.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.