D.C. Code § 28-3851 et seq
Enacted: 3.8.2007
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security of the system” means unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. See § 28-3851(1).
When is notice required?
Notice is required for all D.C. residents included in the breach "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement...and with any measures necessary to determine the scope of the breach and restore the integrity of the data system." See § 28-3852(a). If over 1,000 residents are included in the breach then consumer reporting agencies must be notified as well. Written, electronic, and substitute notice are all acceptable depending on the circumstances. Notably, there is no statutory requirement for the content of the notice.
What are the penalties for non-compliance?
§ 28-3853, which deals with enforcement, stipulates that residents may recover actual damages, the costs of the action, and reasonable attorney's fees. The Attorney General may also petition for temporary or permanent injunctive relief and for an award of restitution. The AG may recover a civil penalty not to exceed $100 for each violation (each resident that is not notified counts as a violation), the costs of the action, and reasonable attorney's fees.