District of Columbia

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: No
Deadline for Consumer Notice: Most expedient time possible without unreasonable delay
Government Notification Required: Yes, if 50+ residents notified

D.C. Code §§ 28-3851 to 28-3853

Scope of this Summary:

Notification requirements applicable to persons or entities that conduct business in DC and that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

N/A

Breach Defined

Unauthorized acquisition of electronic data or any equipment or device storing such data that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to information that has been rendered secure so as to be unusable to an unauthorized third party.

Form of Covered Info

Electronic Only

Covered Information

  • An individual's first name or first initial and last name, or any other personal identifier, which, in combination with any of the following data elements, can be used to identify a person or the person's information:
    • Social security number, Individual Taxpayer Identification Number, passport number, driver's license number, District of Columbia identification card number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
    • Account number, credit card number or debit card number, or any other number or code or combination of numbers or codes, such as an identification number, security code, access code, or password, that allows access to or use of an individual's financial or credit account.
    • Medical information, meaning any information about a consumer's dental, medical, or mental health treatment or diagnosis by a healthcare professional.
    • Genetic information and deoxyribonucleic acid profile has the meaning ascribed to it under the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), approved August 21, 1996 (Pub. Law 104-191; I l0 Stat. 1936), as specified in 45 C.F.R. § 160.103.
    • Health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer to identify the person that permits access to an individual's health and billing information.
    • Biometric data of an individual generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voice print, genetic print, retina or iris image, or other unique biological characteristic, that's used to uniquely authenticate the individual's identity when the individual accesses a system or account.
    • Any combination of data elements included in the bulleted list that would enable a person to commit identity theft without reference to a person's first name or first initial and last name or other independent personal identifier.
  • A username or email address in combination with a password, security question and answer, or other means of authentication, or with any combination of data elements included in the bulleted list above that permits access to an individual's email account.

Consumer Notice Timing

Must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

Consumer Notice Method

By written notice or by electronic notice if customer consented to receipt of electronic notice consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

  • Notice to affected individuals shall include the following:
    • To the extent possible, a description of the categories of information, including the elements of personal information, that were or are reasonably believed to have been acquired.
    • Contact information for the person or entity making the notification, including the business address, telephone number, and toll-free telephone number if one is maintained.
    • The toll-free telephone numbers and addresses for the major Consumer Reporting Agencies, including a statement notifying the resident of the right to obtain a security freeze free of charge and information how a resident may request a security freeze.
    • The toll-free telephone numbers, addresses, and websites for the following entities, including a statement that an individual can obtain information from these sources about steps to take to avoid identity theft: The Federal Trade Commission, The Office of the Attorney General for the District of Columbia.
  • In the event that the breach of information solely involved a username or email address in combination with a password, as defined in the above section regarding personal information, the person or entity may provide the notification in electronic format or other form that directs the person to change the person's password and security question or answer, or to take other steps appropriate to protect the email account with the person or entity and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.

Delayed Notice

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation.

Government Notice

Notification to the AG must be made if the breach affects 50 or more residents and no later than when notice was sent to the individuals.

Consumer Reporting Agency Notice

If more than 1,000 residents notified, must notify all nationwide Consumer Reporting Agencies without unreasonable delay of timing, distribution, and content of the consumer notice.

Exceptions for Other Laws

A covered entity is deemed in compliance with the statute if it maintains procedures for breach notification and provides notice in accordance with: The Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it in the most expedient time possible following discovery of a breach.

Private Right of Action

A violation of the District of Columbia statute is considered an unfair or deceptive trade practice under D.C. Code § 28-3904(kk) and any consumer may bring an action seeking relief from the use of a trade practice in violation of this statute.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023