On March 26, 2020, Washington D.C. enacted bill number B23-0215, amending its data breach notification law.
In addition to the data breach notification requirements (including medical and biometric data when compromised together with a person’s name) the bill also requires businesses to:
- “Implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation.
- Enter into written agreements with third party service providers that require the service provider to implement and maintain security procedures and practices that are appropriate to the nature of the data and designed to prevent unauthorized access.
- Securely destroy records that contain personal information consistent with the nature of the information.
Entities subject to the security requirements of GLBA or HIPAA are exempt from the bill’s data security requirements.