Washington D.C. Privacy Laws

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Treble damages or $1,500 a violation

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Treble damages or $1,500 a violation

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Without unreasonable delay

Fines & Penalties

Violations

Treble damages or $1,500 a violation

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Washington D.C. Privacy Law Information

  • Privacy Program

    Organizations must have measures in place for secure disposal of computerized/electronic records and devices containing computerized/electronic records to protect against unauthorized access to or use of PI of consumers, employees and former employees. Organizations must have a written agreement with Vendors to whom they disclose PI, with a contractual obligation that the Vendor must implement and maintain reasonable security processes and practices to protect the PI from unauthorized access, use, modification and disclosure. Organizations must have procedures and practices in place to protect PI from unauthorized access, use, modification and disclosure.

  • Breach Reporting

    If a breach involves the Social Security Number or Tax ID number of an individual(s), the breached Organization (or Organization whose vendor experienced the breach) must offer identity theft protection services at no cost to affected individuals for at least 18 months. Specific information must be included in the breach notification to affected residents and the Attorney General. Regulatory reporting to the Attorney General is required if a breach affected 50 or more D.C. residents or if an Organization is unable to determine the number of affected residents.

  • Consumer Notification

    If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. For breaches involving more than 1,000 consumers, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The Attorney General must be notified no later than when notice is provided to affected individuals. When determining whether a breach will cause harm to individuals, an investigation must be conducted and consultation with D.C.’s Office of the Attorney General and federal law enforcement agencies.

  • Vendor/Third Parties

    If a Vendor is breached, they must immediately notify the Organization. The Organization is responsible to complete any required regulatory and consumer breach notifications.

  • Industry Specific

    Additional requirements may be associated with digital student data and health information.

  • Fines & Penalties

    For violations of the breach notification and data security requirements, a civil action may be brought resulting in a civil penalty of the greater of treble damages or $1,500 per violation. A consumer has the right to bring a private right of action to recover damages. Civil and criminal penalties can result from violations of unlawful use or disclosure of health information in a manner not authorized by law.

Washington D.C.

Statutes and Laws

D.C. CODE § 28-3904

Unfair or deceptive trade practices

D.C. CODE § 28-3905

Complaint procedures/recovery of damages

D.C. CODE § 38–607

Student health files

D.C. CODE §§ 28-3851 – 28-3853

Consumer Security Breach Notification; Security Requirements; Enforcement

D.C. CODE §§ 38-831.01 – 38.831.06

Protection of Students Digital Privacy

D.C. CODE §§ 47-3151 – 47-3154

Use of Consumer Identification Information

D.C. CODE §§ 7-241 – 7-248

Human Health Care and Safety/Data Sharing