Washington D.C. Attorney General Karl A. Racine is pushing to strengthen the data breach notification laws for D.C. residents. If protected health information (PHI) is released without their knowledge, Attorney General Racine wants his residents notified more quickly and he wants to expand the circumstances when patients must be notified under the HIPAA breach notification rule.
On March 21, 2019, A.G. Racine introduced the Security Breach Protection Amendment Act, which expands the reasons for companies to send out a breach notification to their consumers in the event of a data breach.
The current D.C. data breach notification law only requires businesses to send out a breach notification if Social Security numbers, credit or debit card numbers, and/or driver’s license numbers are exposed. With Racine’s proposed amendment, the law would expand to personal information such as taxpayer ID numbers, genetic information, passport numbers, health insurance information, biometric information, and DNA profiles.
Other than his own residents in mind, Attorney General Racine commented that the main reason for his push on this amendment is to prevent breaches similar to the Equifax breach and to further protect state residents. The Equifax breach affected 143 individuals globally and 350,000 of D.C.’s own residents.
The Security Breach Protection Amendment Act expands to other areas as well. The act requires companies in the D.C. area to implement safeguards to protect the personal information of residents that they either handle, own, collect, license, or possess. The act also requires these companies to explain what information was breached, and also states that the companies must offer a security freeze on the consumers’ accounts for free if the consumer elects to use this option. Minimally, the company must explain what steps are necessary to protect the consumer’s identity moving forward.
If consumers’ Social Security numbers are breached, there is different protocol that is written into the Act. Companies are required to offer a minimum of two years membership to an identity theft protection service at no cost to the consumer. The D.C. Attorney General would also be required to be notified of the breach, however there is no timetable for that notification listed in the Act.
Attorney General Racine attempted to pass a similar bill in 2017, however it did not pass the D.C. Council and was therefore denied. This new bill is required to be approved by the Mayor and D.C. Council, and if it passes these offices, it will be sent to Congress for further approval within a 30 day time period. Racine’s updated bill looks to help D.C. residents and their PHI, and although this will help protect private information, businesses may see this having negative impacts. Businesses that operate in multiple states need to be cognizant of each state law, as multiple states have passed individual security breach protection laws over the past few months. Each state has different perspectives of the definition of personal information, and businesses will need to brush up on their legal knowledge moving forward.