Skip to main content

District of Columbia

Click here to review text of state statute (see D.C.. Code, Title 28, Subtitle II, Chapter 39, Subchapter II, §§28-3851 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of District of Columbia residents.

Definition includes any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account.

Important definitions:

“Security Breach” means unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.

Covered Entities* / Third Party Recipients

Subject to statute:

Any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns, or licenses computerized or other electronic data that includes personal information.

Third party recipients:

Any covered entity who maintains, handles, or otherwise possesses computerized or other electronic data that includes personal information that the covered entity does not own must notify the owner or licensee of the information of any security breach in the most expedient time possible following discovery of the breach.

Notice Procedures & Timing / Other Obligations

Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).

  • Substitute notice is available by means prescribed in the statute if costs to exceed $50,000, affected class exceeds 100,000 persons, or covered entity has insufficient contact information.

Other Obligations:

Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

None.

Other exemptions:

A covered entity is deemed in compliance with the District of Columbia statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the District of Columbia statute.

Any covered entity subject to GLBA is exempt.

Notification to Regulator / Waiver

A waiver of the statue is void and unenforceable.

Penalties

Attorney general may recover a civil penalty not to exceed $100 for each violation, the costs of the action, and reasonable attorney's fees. Each failure to provide a District of Columbia resident with notification is a separate violation.

Attorney general may also bring petition for temporary or permanent injunctive relief and for an award of restitution for property lost or damages suffered by District of Columbia residents.

Any District of Columbia resident may bring a civil action to recover actual damages, the costs of the action, and reasonable attorney's fees. Actual damages may not include dignitary damages, including pain and suffering.

Private Cause of Action / Enforcement

Private Cause of Action: Yes.

Enforcement by attorney general and individuals.

 

Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see D.C.. Code, Title 28, Subtitle II, Chapter 39, Subchapter II, §§28-3851 et seq.)

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints