Data Breach Laws in Washington, DC
If you own a business that collects customer data, you need to familiarize yourself with the laws surrounding data breaches. A breach of data security can be confusing, especially in determining what laws govern the breach. It’s important you understand the law in any state where you do business and are aware of the reporting requirements, otherwise you could be held liable for damages.
When a data leak occurs, the company has to be prepared for the aftermath and work quickly to resolve any complications a data breach might’ve caused. While your first priority might be stopping the breach, and keeping the issue from further harming clients or the company itself, notifications are still mandatory. If you fail to adhere to the notification requirements, you could face penalties and be held liable.
What is Protected Information?
First, you need to understand what is included as protected information. It has to be the individual’s name and a combination of one or more of these elements:
- Driver’s license number
- Social Security number
- Debit card number and PIN
- Credit card number
- Access codes
- Account number
This information is not limited to just D.C. residents either.
Data Breaches in Washington, D.C.
In Washington, D.C., data breach laws are covered under D.C. Code Sections 28-3851 to 28-3853. If you have a business in D.C., keep computerized data or other electronic data that includes clients’ personal information, and have a breach in security of your system, you must notify any D.C. resident whose personal information was included in the breach. The notification should be made through mail or email, and it needs to occur in an expedient manner and without any unreasonable delays in alignment with the needs of law enforcement. In addition, the business must determine the amount of data affected and work on restoring security to the system. This requirement is also applicable to anyone who handles, possesses, or maintains electronic and computerized data.
The only case in which notification under the statute might be delayed is if and when a law enforcement agency feels notifying people would hinder a criminal investigation. The business is required to notify affected parties as soon as law enforcement decides the notification will not put the investigation at risk.
In the event you suffer a breach and more than 1,000 people are affected, you must notify all consumer-reporting agencies. If the breach affects more than 100,000 people, or the cost of notification exceeds $50,000, businesses are allowed to notify parties through public service announcements. If you fail to notify individuals as required, your business can be fined up to $100 per record.
Retaining a Washington, DC Attorney
It’s important you speak with a Washington, DC business litigation attorney to understand what the potential risks are and what potential liability your company could be facing in the event of a breach. If you need to learn how to safeguard your company from a data breach, or you are being sued for an alleged breach, the team at Tobin O’Connor & Ewing has years of experience in business litigation. Contact us on our website or call our office at 202-362-5900 to schedule a consultation.