Advanced Search
View Mobile Site
ExperiencePracticesProfessionalsOfficesEventsNews/BlogsFirmDiversityCareers

District of Columbia


D.C. Code § 28-3851 et seq.

Council Bill 16-810 (signed into law March 8, 2007)

Effective July 1, 2007
Application.  Any person or entity (collectively, Entity) who conducts business in DC and who, in the course of such business, owns or licenses computerized or other electronic data that includes PI. 
    • The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on DC residents, whether or not the Entity conducts business in DC. 
Security Breach Definition.  An unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of PI maintained by the Entity.
    • Acquisition of data that has been rendered secure, so as to be unusable by an unauthorized third party, shall not be deemed to be a breach of the security of the system.

    • Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used improperly or subject to further unauthorized disclosure.
Notification Obligation.  Any Entity to which the statute applies, and who discovers a breach of the security system, shall promptly notify any DC resident whose PI was included in the breach.

Notification to Consumer Reporting Agencies. If any Entity is required to notify more than 1,000 persons of a breach of security, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and content of the notices. This subsection shall not apply to an Entity who is required to notify consumer reporting agencies of a breach pursuant to Title V of the Gramm-Leach-Bliley Act.

Third-Party Data Notification.  Any Entity that maintains, handles, or otherwise possesses computerized or other electronic data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach of the security of the system in the most expedient time possible following discovery.

Timing of Notification.  The notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Personal Information Definition.  Any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account, or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements:
    • Social Security Number;

    • Driver license number or DC identification card number; or

    • Credit card number or debit card number.
Notice Required.  Notice may be provided by one of the following methods:
    • Written notice; or

    • Electronic notice, if the customer has consented to receipt of electronic notice consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Substitute Notice Available.  If the Entity demonstrates that the cost of providing notice to persons would exceed $50,000, that the number of persons to receive notice under the statute exceeds 100,000, or that the Entity does not have sufficient contact information.  Substitute notice shall consist of all of the following:
    • Email notice when the Entity has an email address for the subject persons;

    • Conspicuous posting of the notice on the Web site of the Entity if the Entity maintains one; and

    • Notice to major local and, if applicable, national media.
Exception: Own Notification Policy.  Any Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and whose procedures are otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if the Entity provides notice, in accordance with its policies, reasonably calculated to give actual notice to persons to whom notice is otherwise required to be given under the statute. 
    • Notice under this section may be given by email if the Entity’s primary method of communication with the DC resident is by email.
Exception:  Compliance with Other Laws.
    • Gramm-Leach-Bliley Act.  The provisions of this statute shall not apply to any Entity who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act.
Other Key Provisions:
    • Delay for Law Enforcement.  Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation.  Notice required by the statute must be made without unreasonable delay and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

    • AG Enforcement.  The AG may seek direct damages and injunctive relief.

    • Private Right of Action.  Any District of Columbia resident injured by a violation may institute a civil action to recover actual damages, the costs of the action, and reasonable attorney’s fees.  Actual damages shall not include dignitary damages, including pain and suffering.

    • Waiver Not Permitted.
Contact Us  ·  Mobile Access  ·  Site Map  ·  Terms Of Use  ·  Privacy Policy  ·  Legal Disclaimer  · Alumni ·  Perkins Coie Trust Company LLC
2012 Perkins Coie LLP