[BreachExchange] D.C. Attorney General Calls for Expanding Data Breach Notice Law

Destry Winant destry at riskbasedsecurity.com
Fri Mar 22 08:54:29 EDT 2019


The District of Columbia’s top lawyer has unveiled a proposal that
would expand the city’s data breach notification law and give the
attorney general’s office greater enforcement power.

D.C. Attorney General Karl Racine (D) announced the Security Breach
Protection Amendment Act March 21. It would regulate companies that
faced “major data breaches that have put tens of millions of
consumers, and hundreds of thousands of District residents, at risk of
identity theft and other types of fraud.”

Racine’s proposal comes as a growing number of states and territories
are pushing for local privacy laws. California’s comprehensive privacy
law will take effect January 2020, and states such as Washington and
New York are looking to pass their own privacy standards.

Cities such as Los Angeles and San Francisco have introduced privacy
standards or brought lawsuits to hold companies accountable for
alleged data misuse. Seattle and San Francisco have been active on
privacy regulation and enforcement.

Companies have felt the pressure from local enforcement authorities
and are pushing Congress to pass a national privacy standard to
normalize the varying state and territory standards. Some companies
are pushing for a federal bill because a patchwork of state privacy
laws allegedly favors tech giants that can deal with the state

The D.C. attorney general’s proposal would widen the district’s law to
cover taxpayer identification numbers, genetic information and DNA
profiles, military identification data and other types of personal
information. Companies that handle personal information would have to
“maintain security safeguards against unauthorized access or use of
data,” under Racine’s proposed changes

The amendments would give Racine more enforcement power against tech
companies by making them notify his office of any data breach. The
office would have new enforcement authority over companies that fail
to do so.

Racine is embroiled in litigation against Facebook Inc. over whether
the company broadly misused user data. The D.C. Superior Court is set
to hear arguments March 22 on whether the case should be dismissed.

“Data breaches and identity theft continue to pose major threats to
District residents and consumers nationwide,” Racine said in his

Racine proposed a similar bill in 2017 to increase consumer
protections in the district. The bill, introduced by the council
chairman at the request of the attorney general, didn’t clear the D.C.

More information about the BreachExchange mailing list