Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Treble damages, or $1,500 per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • When determining whether a breach will cause harm to individuals, businesses must investigate the breach incident and consult with D.C.’s Office of the Attorney General and federal law enforcement agencies.
  • Regulatory reporting to the Attorney General is required if a breach affected 50 or more D.C. residents or if a business is unable to determine the number of affected residents.
  • The Attorney General must be notified no later than when notice is provided to affected individuals.
  • Specific information must be included in the breach notification to affected residents and the Attorney General.
  • For breaches involving more than 1,000 consumers, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • If a breach involves the Social Security Number or Tax ID number of an individual(s), the breached business (or business whose vendor experienced the breach) must offer identity theft protection services at no cost to affected individuals for at least 18 months.
  • If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Businesses must have procedures and practices in place to protect PI from unauthorized access, use, modification and disclosure.
  • Businesses must have measures in place for secure disposal of computerized/electronic records and devices containing computerized/electronic records to protect against unauthorized access to or use of PI of consumers, employees and former employees.
  • Businesses must have a written agreement with vendors to whom they disclose PI, with a contractual obligation that the vendor must implement and maintain reasonable security processes and practices to protect the PI from unauthorized access, use, modification and disclosure.
  • For violations of the breach notification and data security requirements, a civil action may be brought resulting in a civil penalty of the greater of treble damages or $1,500 per violation. A consumer has the right to bring a private right of action to recover damages.
  • Additional requirements may be associated with digital student data and health information.
  • Civil and criminal penalties can result from violations of unlawful use or disclosure of health information in a manner not authorized by law.
Statutes and Laws
  • D.C. Code §§ 28-3851 – 3853 Consumer Security Breach Notification; Security Requirements; Enforcement
  • D.C. Code § 28-3904 Unfair or Deceptive Trade Practices
  • D.C. Code § 28-3905 Complaint Procedures / recovery of damages
  • D.C. Code §§ 47-3151 – 3154 Use of Consumer Identification Information
  • D.C. Code §§ 38-831.01 – 38-831.06 Protection of Students Digital Privacy
  • D.C. Code §§ 7-241 – 7-248 Human Health Care and Safety/Data Sharing
  • D.C. Code § 38-607 Student health files
BAck to map