Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $100 for each violation

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • For breaches involving more than 1,000 consumers, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Each failure to provide a District of Columbia resident with notification of a breach constitutes a separate violation.
  • For violations of the breach laws, a civil action may be brought and the Attorney General may bring an action resulting in a civil penalty up to $100 for each violation, the costs of the action, and reasonable attorney’s fees.
  • Penalties resulting from violations involving use of consumer identification information include actions to recover actual damages or $500, whichever is greater, and for injunctive relief, which may include the award of reasonable attorney’s fees and court costs.
  • Civil and criminal penalties can result from violations of unlawful use or disclosure of health and human services information in a manner not authorized by law.
  • Additional requirements may be associated with digital student data and health information.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • D.C. Code §§ 28-3851 – 3853 Consumer Security Breach Notification
  • D.C. Code §§ 47-3151 – 3154 Use of Consumer Identification Information
  • D.C. Code §§ 38-831.01 – 38-831.06 Protection of Students Digital Privacy
  • D.C. Code §§ 7-241 – 7-248 Human Health Care and Safety/Data Sharing
  • D.C. Code § 38-607 Student health files
BAck to map