Washington D.C. Attorney General Karl. A. Racine has proposed stricter data breach notification laws. He anticipates that the new laws would provide greater protection to DC residents should their data be compromised in a data breach incident.
AG Racine introduced the Security Breach Protection Amendment Act on March 21, 2019. This Act updates the definition of ‘personal information’, which means that the types of information for which organisations would be required to send breach notification letters to individuals are even more expansive.
Currently, laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers.
The Security Breach Protection Amendment Act would expand this definition to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information.
By expanding the definition, a wider range of consumer data is protected by law, and consumers have more awareness of what happens to their data.
Attorney General Racine the Equifax data breach was a primary motivation for updating the laws. In 2017, Equifax, one of the largest credit reporting agencies in the US, experienced a breach which affected 148 million Americans globally and 350,000 DC residents.
In addition to expanding the definition of personal information, if passed, the Security Breach Protection Amendment Act would require companies that collect, own, license, handle, or otherwise possess the ‘personal information’ of DC residents to implement safeguards to ensure the integrity of personal information is protected. Adequate safeguards must be in place to ensure that no unauthorised third-party individuals could gain access to the data and use it for nefarious purposes.
The Act also includes legislation requiring companies inform consumers of the types of information that have been breached and the steps consumers can take to protect their identities, including the right to place a security freeze on their accounts at no cost.
In the event of a breach of Social Security numbers, companies would be required to offer a minimum of two years of membership to identity theft protection services free of charge. The organisation would need to notify AG Racine if it experienced a breach of personal information. However, unlike other data privacy laws such as HIPAA or GDPR, organisations are given no deadline by which they must notify the AG.
Violations of the Security Breach Protection Amendment Act would be considered a violation of the DC Consumer Protection Procedures Act. Therefore, a significant financial penalty could be levied against the organisation.
In 2017, AG Racine attempted to introduce a similar bill providing additional protections to consumers in the event of a data breach. However, the DC council did not pass the bill.
Mayor and the DC Council must approve the Security Breach Protection Amendment Act for it to be then passed to Congress to be passed. Congress has 30 days to complete its review of the legislation before coming to a decision.
Similar amendments have been proposed in several states and territories over the past few months. Although these laws provide much-needed updates in data privacy rights and protections offered to individuals, the lack of a uniform standard across the US creates difficulties for organisations operating in multiple states. While it is expected that there will be a federal data privacy law in the future, which would include measures to standardise data breach notifications, it is unknown when such a law will be introduced.