ENGROSSED ORIGINAL
1 A BILL
2 23-215
3 IN THE COUNCIL OF THE DISTRICT OF COLUMBIA
4 ________________
5
6 To amend Title 28 of the District of Columbia Official Code concerning businesses data
7 breaches to expand definitions, to specify the required contents of a notification of a
8 security breach to a person whose personal information is included in a breach, to clarify
9 timeframes for reporting breaches, to require that written notice of the breach, including
10 specific information, be given to the Office of the Attorney General, to specify the
11 security requirements for the protection of personal information, to require the provision
12 of 18 months of identity theft prevention services when the breach results in the release
13 of social security or tax identification numbers, to make violation of the requirements for
14 protection of personal information an unfair or deceptive trade practice, and to make a
15 conforming amendment to the Consumer Protection Procedures Act.
16
17 BE IT ENACTED BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this
18 act may be cited as the Security Breach Protection Amendment Act of 2020.
19 Sec. 2. Title 28 of the District of Columbia Official Code is amended as follows:
20 (a) Chapter 38 is amended as follows:
21 (1) Section 28-3801 is amended by striking the word chapter and inserting the
22 word subchapter in its place.
23 (2) The table of contents for subchapter 2 is amended by adding three new section
24 designations to read as follows:
25 28-3852a. Security Requirements.
1
 ENGROSSED ORIGINAL
26 28-3852b. Remedies.
27 28-3852c. Rulemaking..
28 (3) Section 28-3851 is amended as follows:
29 (A) Paragraph (1) is amended to read as follows:
30 (1)(A) Breach of the security of the system means unauthorized acquisition of
31 computerized or other electronic data or any equipment or device storing such data that
32 compromises the security, confidentiality, or integrity of personal information maintained by the
33 person or entity who conducts business in the District of Columbia.
34 (B) The term breach of the security of the system does not include:
35 (i) A good faith acquisition of personal information by an
36 employee or agency of the person or entity for the purposes of the person or entity if the personal
37 information is not used improperly or subject to further unauthorized disclosure;
38 (ii) Acquisition of data that has been rendered secure, including
39 through encryption or redaction of such data, so as to be unusable by an unauthorized third party
40 unless any information obtained has the potential to compromise the effectiveness of the security
41 protection preventing unauthorized access; or
42 (iii) Acquisition of personal information of an individual that the
43 person or entity reasonably determines, after consultation with District and federalafter a
44 reasonable investigation and consultation with the Office of the Attorney General for the District
2
 ENGROSSED ORIGINAL
45 of Columbia and federal law enforcement agencies, will likely not result in harm to the
46 individual.
47 (B) New paragraphs (1A) and (1B) are added to read as follows:
48 (1A) Genetic information has the meaning ascribed to it under the federal
49 Health Insurance Portability and Accountability Act of 1996 (HIPAA), approved August 21,
50 1996 (Pub. Law 104-191; 110 Stat. 1936), as specified in 45 C.F.R. 106.103.
51 (1B) Medical Information means any information about a consumers dental,
52 medical or mental health treatment or diagnosis by a health care professional..
53 (C) Paragraph (2) is amended by striking the word business wherever it
54 appears and inserting the word entity in its place.
55 (D) A new paragraph (2A) is added to read as follows:
56 (2A) Person or entity means an individual, firm, corporation, partnership,
57 company, cooperative, association, trust, or any other organization, legal entity, or group of
58 individuals. The term person or entity shall not include the District of Columbia government
59 or any of its agencies or instrumentalities..
60 (E) Paragraph (3) is amended to read as follows:
61 (3)(A) "Personal information" means:
3
 ENGROSSED ORIGINAL
62 (i) An individual's first name, first initial and last name, or any
63 other personal identifier, which, in combination with any of the following data elements, can be
64 used to identify a person or the persons information:
65 (I) Social security number, Individual Taxpayer
66 Identification Number, passport number, drivers license number, District of Columbia
67 identification card number, military identification number, or other unique identification number
68 issued on a government document commonly used to verify the identity of a specific individual;
69 (II) Account number, credit card number or debit card
70 number, or any other number or code or combination of numbers or codes, such as an
71 identification number, account number, security code, access code, or password, that allows
72 access to or use of an individual's financial or credit account;
73 (III) Medical information;
74 (IV) Genetic information and deoxyribonucleic acid
75 profile;
76 (V) Health insurance information, including a policy
77 number, subscriber information number, or any unique identifier used by a health insurer to
78 identify the person that permits access to an individuals health and billing information;
79 (VI) Biometric data of an individual generated by
80 automatic measurements of an individual's biological characteristics such as a fingerprint, voice
4
 ENGROSSED ORIGINAL
81 print, genetic print, retina or iris image, or other unique biological characteristic, that is used to
82 uniquely authenticate the individual's identity when the individual accesses a system or account;
83 or
84 (VII) Any combination of data elements included in sub-
85 sub-sub paragraphs (I) through (VI) of this sub-subparagraph that would enable a person to
86 commit identity theft without reference to a persons first name or first initial and last name or
87 other independent personal identifier.
88 (ii) A user name or e-mail address in combination with a
89 password, security question and answer or other means of authentication, or any combination of
90 data elements included in sub-sub-sub paragraphs (I) through (VI) that permits access to an
91 individual's e-mail account..
92 (4) Section 28-3852 is amended as follows:
93 (A) New subsections (a-1) and (a-2) are added to read as follows:
94 (a-1) The notification required under subsection (a) of this section shall include:
95 (1) To the extent possible, a description of the categories of information that
96 were, or are reasonably believed to have been, acquired by an unauthorized person, including the
97 elements of personal information that were, or are reasonably believed to have been, acquired;
5
 ENGROSSED ORIGINAL
98 (2) Contact information for the person or entity making the notification,
99 including the business address, telephone number, and toll-free telephone number if one is
100 maintained;
101 (3) The toll-free telephone numbers and addresses for the major consumer
102 reporting agencies, including a statement notifying the resident of the right to obtain a security
103 freeze free of charge pursuant to 15 U.S.C. 1681c-1 and information how a resident may
104 request a security freeze; and
105 (4) The toll-free telephone numbers, addresses, and website addresses for the
106 following entities, including a statement that an individual can obtain information from these
107 sources about steps to take to avoid identity theft:
108 (A) The Federal Trade Commission; and
109 (B) The Office of the Attorney General for the District of Columbia..
110 (a-2) Notwithstanding subsection (a-1), in the case of a breach of the security of the
111 system that only involves personal information defined in section 28-3851(3)(A)(ii), the person
112 or entity may comply with this section by providing the notification in electronic format or other
113 form that directs the person to change the persons password and security question or answer, as
114 applicable, or to take other steps appropriate to protect the e-mail account with the person or
115 entity and all other online accounts for which the person whose personal information has been
116 breached uses the same username or email address and password or security question or answer.
6
 ENGROSSED ORIGINAL
117 (B) New subsections (b-1) and (b-2) are added to read as follows:
118 (b-1) In addition to giving the notification required under subsection (a) of this section,
119 and subject to subsection (d) of this section, the person or entity required to give notice shall
120 promptly provide written notice of the breach of the security of the system to the Office of the
121 Attorney General if the breach affects 50 or more District residents. This notice shall be made in
122 the most expedient manner possible, without unreasonable delay, and in no event later than when
123 notice is provided under subsection (a) of this section. The written notice shall include:
124 (1) The name and contact information of the person or entity reporting the
125 breach;
126 (2) The name and contact information of the person or entity that experienced
127 the breach;
128 (3) The nature of the breach of the security of the system, including the name of
129 the person or entity that experienced the breach;
130 (4) The types of personal information compromised by the breach;
131 (5) The number of District residents affected by the breach;
132 (6) The cause of the breach, including the relationship between the person or
133 entity that experienced the breach and the person responsible for the breach, if known;
134 (7) Remedial action taken by the person or entity to include steps taken to assist
135 District residents affected by the breach;
7
 ENGROSSED ORIGINAL
136 (8) The date and time frame of the breach, if known;
137 (9) Address and location of corporate headquarters, if outside of the District;
138 (10) Any knowledge of foreign country involvement; and
139 (11) A sample of the notice to be provided to District residents.
140 (b-2) The notice required under subsection (b-1) of this section shall not be delayed on
141 the grounds that the total number of District residents affected by the breach has not yet been
142 ascertained..
143 (C) Subsection (e) is repealed.
144 (D) Subsection (g) is amended to read as follows:
145 (g) A person or entity who maintains procedures for a breach notification system under
146 Title V of the Gramm-Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15
147 U.S.C. 6801 et seq.), or the breach notification rules issued by the United States Department of
148 Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations,
149 established pursuant to the Health Insurance Portability Accountability Act of 1996 (Public Law
150 104-191), or the Health Information Technology for Economic and Clinical Health Act (Public
151 Law 111-5), and provides notice in accordance with such Acts, and any rules, regulations,
152 guidance and guidelines thereto, to each affected resident in the event of a breach, shall be
153 deemed to be in compliance with this section with respect to the notification of residents whose
154 personal information is included in the breach. The person or entity shall, in all cases, provide
8
 ENGROSSED ORIGINAL
155 written notice of the breach of the security of the system to the Office of the Attorney General as
156 required under subsection (b-1) of this section..
157 (5) New sections 28-3852a and 28-3852b, and 28-3852c are added to read as
158 follows:
159 28-3852a. Security requirements.
160 (a) To protect personal information from unauthorized access, use, modification,
161 disclosure or a reasonably anticipated hazard or threat, a person or entity that owns, licenses,
162 maintains, handles or otherwise possesses personal information of an individual residing in the
163 District shall implement and maintain reasonable security safeguards, including procedures and
164 practices that are appropriate to the nature of the personal information and the nature and size of
165 the entity or operation.
166 (b) A person or entity that uses a nonaffiliated third party as a service provider to
167 perform services for a person or entity and discloses personal information about an individual
168 residing in the District under a written agreement with the third party shall require by the
169 agreement that the third party implement and maintain reasonable security procedures and
170 practices that:
171 (1) Are appropriate to the nature of the personal information disclosed to the
172 nonaffiliated third party; and
9
 ENGROSSED ORIGINAL
173 (2) Are reasonably designed to protect the personal information from
174 unauthorized access, use, modification, and disclosure.
175 (c) When a person or entity is destroying records, including computerized or electronic
176 records and devices containing computerized or electronic records, that contain personal
177 information of a consumer, employee, or former employee of the person or entity, the person or
178 entity shall take reasonable steps to protect against unauthorized access to or use of the personal
179 information, taking into account:
180 (1) The sensitivity of the records;
181 (2) The nature and size of the business and its operations;
182 (3) The costs and benefits of different destruction and sanitation methods; and
183 (4) Available technology.
184 (d) A person or entity who is subject to and in compliance with requirements for
185 security procedures and practices contained in Title V of the Gramm-Leach-Bliley Act, approved
186 November 12, 1999 (113 Stat. 1436; 15 U.S.C. 6801 et seq.), or the Health Insurance
187 Portability Accountability Act of 1996 (Public Law 104-191), or the Health Information
188 Technology for Economic and Clinical Health Act (Public Law 111-5), and any rules,
189 regulations, guidance and guidelines thereto, shall be deemed to be in compliance with this
190 section..
191 28-3852b. Remedies.
10
 ENGROSSED ORIGINAL
192 When a person or entity experiences a breach of the security of the system that requires
193 notification under subsection 28-3852(a) or (b), and such breach includes or is reasonably
194 believed to include a social security number or taxpayer identification number, the person or
195 entity shall offer to each District resident whose social security number or tax identification
196 number was released identity theft protection services at no cost to such District resident for a
197 period of not less than 18 months. The person or entity that experienced the breach of the
198 security of its system shall provide all information necessary for District residents to enroll in the
199 services required under this subsection.
200 28-3852c. Rulemaking.
201 The Attorney General for the District of Columbia, pursuant to section 2-501 et seq.
202 may issue rules to implement the notification provisions pursuant to section 28-3852 section 28-
203 3852(b-1)..
204 (6) Section 28-3853 is amended as follows:
205 (A) Subsection (a) is repealed.
206 (B) Subsection (b) is amended to read as follows:
207 (b) A violation of this subchapter, or any rule issued pursuant to the authority of this
208 subchapter, is an unfair or deceptive trade practice pursuant to section 28-3904(kk)..
209 (b) Chapter 39 is amended as follows:
210 (1) Section 28-3904 is amended as follows:
11
 ENGROSSED ORIGINAL
211 (A) Subsection (ii) is amended by striking the word or.
212 (B) Subsection (jj) is amended by striking the period and inserting the
213 phrase ; or in its place.
214 (C) A new subsection (kk) is added to read as follows:
215 (kk) violate any provision of subchapter 2 of Chapter 38 of this title..
216 (2) Section 28-3905(k)(2)(A) is amended to read as follows:
217 (A)(i) Treble damages, or $1,500 per violation, whichever is greater,
218 payable to the consumer;
219 (ii) Notwithstanding sub-subparagraph (i) of this subparagraph,
220 fo