Data-breach bill gives D.C. power to go after companies with weak cybersecurity
The city of Washington, D.C., is set to strengthen its data-breach laws following the passage this week of a bill that greatly expands the definition of personal identifying information that companies doing business in the District are required to protect. It also gives local authorities greater prosecutorial power against companies that expose their customers’ sensitive data.
The bill, which was introduced last year by D.C. Attorney General Karl Racine, adds passport numbers, military identifications, health and biometric data and genetic profiles — such as information shared with genealogical websites like 23andMe — to the categories of data that are protected under the District’s breach notification law, which was implemented in 2007. The original law only covered residents’ Social Security numbers, driver’s licenses and credit- and debit-card numbers. But the amount and types of information that people have begun to share in the last decade-plus prompted another look at the law, said Elizabeth Wilkins, a senior counsel for policy in Racine’s office.
“If you think of all the advancements in data use and data collection over the past 13 years, there’s an enormous difference,” she said. “There are all kinds of things we do online now that we didn’t do before.”
The bill, which passed the 12-member D.C. Council unanimously and now awaits the signature of Mayor Muriel Bowser, also gives Racine’s office more teeth in going after companies that experience data breaches because of weak cybersecurity practices. It adds a requirement that entities that suffer a breach provide notifications to the Office of Attorney General, in addition to their affected customers. And it also gives Racine’s office new powers to pursue penalties or fines from companies using the District’s Consumer Protection Procedures Act.
“CPPA gives us investigatory tools,” Wilkins said. “This gives us power to see them in court. Gives us power for pretty significant penalties and get restitution for consumers.”
The District of Columbia is no stranger to data-breach suits, having participated in many multi-state settlements, including the 2017 breach of the credit-rating agency Equifax, which affected 147 million people nationally and nearly 350,000 of the city’s residents.
The new bill also requires companies that are breached to provide D.C. officials with detailed descriptions about their data-protection measures, which Wilkins said the attorney general’s office can then use to determine if companies employed “reasonable” cybersecurity protections.
“If you think of what you give to a bank or 23andMe, they should have reasonable security measures,” she said. “‘Reasonable’ is a pretty normal legal standard. That gives us flexibility. You should have sophisticated measures to keep people’s data safe. That is what states argued in cases like Equifax. A company like Equifax shouldn’t fail to install patches.”
Equifax was ordered in January to pay consumers $380.5 million over the 2017 breach, which occurred after hackers infiltrated the company’s systems, which were running on outmoded software for which patches were easily available.
Wilkins said the revisions to the data-breach bill, which also include a requirement that companies that expose residents’ Social Security numbers provide their customers with 18 months of free credit monitoring, give the District one of the strongest data-protection statues in the country.
“Our goal with this whole bill, including the definition of personal definition, was to make sure we’re implementing the strongest range of metrics,” she said. “We really feel we’re in the strongest vanguard of cybersecurity and data-breach protections.”