Washington, D.C. Adds Security Requirements in New Data Breach Notification Law
Washington, D.C. amended its data breach notification law (D.C. Act 23-268) on March 26, 2020, expanding the definition of personal information covered by the law and requiring businesses collecting data from D.C. residents to implement “reasonable security safeguards.”
Because D.C. law already provides a private right of action for violations of the data breach law, the updates will enable lawsuits in the event that an entity fails to meet the “reasonable security” standard—though recovery is limited to actual damages.
Source: Washington, D.C. Adds Security Requirements in New Data Breach Notification Law | Privacy & Security Law Blog | Davis Wright Tremaine