On March 26, 2020, Washington D.C. enacted bill number B23-0215, amending its data breach notification law.

In addition to the data breach notification requirements (including medical and biometric data when compromised together with a person’s name) the bill also requires businesses to:

  • “Implement and maintain reasonable security safeguards, including procedures and practices that are appropriate

Strong data encryption is a best practice, but according to new guidance from the UK’s data protection authority, it may not exempt you from General Data Protection Regulation (GDPR) notification requirements if you suffer a breach. That’s a significant departure from most U.S. federal and state data privacy rules.

Our Privacy & Data Security team