Washington, D.C.: Attorney General Seeks Stronger Data Security Law

By Joseph J. Lazzarotti © Jackson Lewis April 3, 2019
Washington, D.C.: Attorney General Seeks Stronger Data Security Law

Washington D.C.'s attorney general, Karl A. Racine, recently proposed data-security legislation—the Security Breach Protection Amendment Act of 2019—adding to the growing list of states and jurisdictions across the country seeking to strengthen privacy and security protections around personal information.

Proposed in response to major data breaches, a frequent catalyst to stronger data privacy and security legislation, Racine's bill would expand legal protections concerning personal information to help prevent and enhance the response to a data breach. Specifically, the bill would:

Like legislation being considered in New Jersey, expand the definition of personal information that, if breached, would require notification. However, if passed, the definition of personal information in Washington, D.C., would be much broader than in New Jersey and many other states. The legislation would include passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles and health insurance information.

Require businesses that experience a data breach to include specific information in the notifications to affected people, such as (i) the categories of information that were, or are believed to have been, involved in the breach; (ii) contact information for the person making the notification, as well as the credit reporting agencies, the Federal Trade Commission and the Washington, D.C., attorney general; and (iii) the right under federal law to obtain a security freeze at no cost and how to obtain such a freeze.

Mandate that businesses offer two years of free identity theft protection when a breach involves Social Security numbers. Washington D.C. would join states such as Connecticut, Delaware, and in April, Massachusetts, in requiring such services be provided following certain breaches.

The bill also would mandate that businesses that handle personal information implement reasonable safeguards to protect that data. Additionally, businesses that obtain services from a nonaffiliated third party and disclose personal information of a Washington, D.C., resident under an agreement with that third party must require the third party by agreement to safeguard that information. Again, these changes put Washington, D.C., in the company of states such as California, Colorado and Massachusetts as the legislative screws continue to tighten around data privacy and security.

Joseph J. Lazzarotti is an attorney with Jackson Lewis in Morristown, N.J. © 2019 Jackson Lewis. All rights reserved. Reposted with permission.



Hire the best HR talent or advance your own career.

Move your HR career forward.

Apply for the SHRM-CP or SHRM-SCP exam today! Applicants now have the option to test from home.

Apply for the SHRM-CP or SHRM-SCP exam today! Applicants now have the option to test from home.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.