Skip to main content

District of Columbia

Click here to review text of state statute (see D.C.. Code, Title 28, Subtitle II, Chapter 39, Subchapter II, §§28-3851 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of District of Columbia residents.

Definition also includes (i) An individual's first name, first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person’s information:

  • Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account
  • medical information;
  • genetic information and DNA profile;
  • health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer that permits access to an individual’s health and billing information;
  • biometric data; and
  • any combination of data elements listed above, that would enable a person to commit identity theft without reference to the individual’s name.

Definition also includes: A user name or e-mail address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements listed above that permits access to an individual's e-mail account

Important definitions:

“Security Breach” means unauthorized acquisition of computerized or other electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of personal information maintained by the person or entity who conducts business in the District of Columbia.

Covered Entities* / Third Party Recipients

Subject to statute:

Any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information.

Third party recipients:

Any covered entity who maintains, handles or otherwise possesses computerized or other electronic data that includes personal information that the covered entity does not own must notify the owner or licensee of the information of any security breach in the most expedient time possible following discovery of the breach.

Notice Procedures & Timing / Other Obligations

Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).

  • Substitute notice is available by means prescribed in the statute if costs to exceed $50,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information.

Notification to individuals must include:

  • A description of the categories of information that were acquired, or that were reasonably believed to have been acquired;
  • Contact information for the person or entity issuing the notification, including business address, telephone number, and toll-free telephone number, if maintained;
  • Notification of a resident’s right to obtain a security freeze, including toll-free telephone numbers and addresses for the major consumer reporting agencies;
  • Toll-free telephone numbers, addresses, and websites for the Federal Trade Commission and the attorney general of the District of Columbia, including steps to take to avoid identity theft;
  • Offer of theft protection services at no cost for at least 18 months, if it is reasonably believed that a breach involved the Social Security number or tax identification number of a District resident;

Electronic notice directing a person to change their password and/or security question(s), if the breach only affected an online account.

Other Obligations:

Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.

The statute contains certain data security requirements for entities that own, license, maintain, handle or otherwise possess personal information of D.C. residents, and certain data destruction requirements.

The statute also requires covered entities to enter into written agreements with third party service providers that require the service provider to implement and maintain similar security procedures and practices. Entities subject to the security requirements of GLBA or HIPAA are exempt from the statute’s data security requirements.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Acquisition of data that has been rendered secure, including through encryption or redaction of such data, so as to be unusable by an unauthorized third party unless any information obtained has the potential to compromise the effectiveness of the security protection preventing unauthorized access.

Other exemptions:

Covered entities subject to HIPAA or GLBA and provide notice in compliance with HIPAA and GLBA shall be in compliance with security breach notification requirements of the statute with respect to the notification of residents whose personal information is included in the breach.  Notice to Attorney General is still required.


A covered entity is deemed in compliance with the District of Columbia statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing 

requirements of the District of Columbia. statute.

Any covered entity subject to GLBA is exempt.

The term “breach of the security of the system” does not include:

(i) A good-faith acquisition of personal information by an employee or agency of the person or entity for the purposes of the person or entity if the personal information is not used improperly or subject to further unauthorized disclosure;

Notification to Regulator / Waiver

Written notice to the Office of the Attorney General required if the breach affects 50 or more District residents.Notice shall be made in the most expedient manner possible, without unreasonable delay, and in no event later than when notice is provided to individuals.  Notice must include:

  • The name and contact information of the person or entity reporting the breach;
  • The name and contact information of the person or entity that experienced the breach;
  • The nature of the breach;
  • The types of personal information compromised by the breach;
  • The number of District residents affected by the breach;
  • The cause of the breach;
  • Remediation actions taken, including steps to assist District residents;
  • The date and timeframe of the breach, if known;
  • Address and location of corporate headquarters, if outside of the District;
  • Any knowledge of foreign country involvement; and
  • A sample of the notice provided to District residents.

A waiver of the statute is void and unenforceable.

A determination of no likelihood of harm:

Security Breach does not include “acquisition of personal information of an individual that the person or entity reasonably determines, after a reasonable investigation and consultation with the Office of the Attorney General for the District of Columbia and federal law enforcement agencies, will likely not result in harm to the individual.”


Attorney General may recover a civil penalty not to exceed $100 for each violation, the costs of the action, and reasonable attorney's fees. Each failure to provide a District of Columbia resident with notification is a separate violation.

Attorney General may also bring petition for temporary or permanent injunctive relief and for an award of restitution for property lost or damages suffered by District of Columbia residents.

Any District of Columbia resident may bring a civil action to recover actual damages, the costs of the action, and reasonable attorney's fees. Actual damages may not include dignitary damages, including pain and suffering.

Private Cause of Action / Enforcement

Private Cause of Action: Yes.

Enforcement by attorney general and individuals.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see D.C.. Code, Title 28, Subtitle II, Chapter 39, Subchapter II, §§28-3851 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints