How Can We Help?
Washington, D.C. Notification Requirements and Fines
In the District of Columbia, any business that experiences a data breach must notify affected D.C. residents as soon as possible through mail or email. If the security breach affects more than 100,000 people, or the cost of notification exceeds $50,000, businesses can issue alerts via public service announcements. If an event affects more than 1,000 people, all consumer-reporting agencies must be notified. Businesses that fail to notify affected individuals can be fined up to $100 per incident.
Name of Law / Statute | N/A |
Definition of Protected Information | Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes; not limited to D.C. residents |
Who Is Subject to Law? | Any person or business conducting business in DC who licenses or owns PI |
Notification of Consumers? | Yes |
By what means? | Written or electronic (if consumer consented); if >1,000 residents, must notify consumer reporting agencies |
Substitute Notice Threshold? | If cost of notice >$50,000 or involves >100k residents |
Notification of authorities / regulators required? | No |
By what means? | N/A |
Regulatory Fines | Up to $100/person, plus costs and attorney fees |
Credit monitoring requirement? | No |
Private lawsuits allowed? | Yes |
Private damages cap? | Actual damages + costs and attorney fees |
Regulatory actions allowed? | Yes |
HIPAA Compliance exemption? | N/A |
Other (e.g., timeframe) | N/A |
Link to complete law | Washington, D.C.’s data breach law |
Read the full text of Washington, D.C.’s data breach law.