For purposes of this subchapter, the term:
(1) “Breach of the security of the system” means unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. The term “breach of the security system” shall not include a good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business if the personal information is not used improperly or subject to further unauthorized disclosure. Acquisition of data that has been rendered secure, so as to be unusable by an unauthorized third party, shall not be deemed to be a breach of the security of the system.
(2) “Notify” or “notification” means providing information through any of the following methods:
(A) Written notice;
(B) Electronic notice, if the customer has consented to receipt of electronic notice consistent with the provisions regarding electronic records and signatures set forth in the Electronic Signatures in Global and National Commerce Act, approved June 30, 2000 (114 Stat. 641; 15 U.S.C.S. § 7001); or
(C)(i) Substitute notice, if the person or business demonstrates that the cost of providing notice to persons subject to this subchapter would exceed $50,000, that the number of persons to receive notice under this subchapter exceeds 100,000, or that the person or business does not have sufficient contact information.
(ii) Substitute notice shall consist of all of the following:
(I) E-mail notice when the person or business has an e-mail address for the subject persons;
(II) Conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; and
(III) Notice to major local and, if applicable, national media.
(3)(A) “Personal information” means:
(i) An individual's first name or first initial and last name, or phone number, or address, and any one or more of the following data elements:
(I) Social security number;
(II) Driver's license number or District of Columbia Identification Card number; or
(III) Credit card number or debit card number; or
(ii) Any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual's financial or credit account.
(B) For purposes of this paragraph, the term “personal information” shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
CREDIT(S)
(Mar. 8, 2007, D.C. Law 16-237, § 2(c), 54 DCR 393.)
HISTORICAL AND STATUTORY NOTES
Legislative History of Laws
Law 16-237, the “Consumer Personal Information Security Breach Notification Act of 2006”, was introduced in Council and assigned Bill No. 16-810, which was referred to Committee on Consumer and Regulatory Affairs. The Bill was adopted on first and second readings on November 14, 2006, and December 5, 2006, respectively. Signed by the Mayor on December 28 2006, it was assigned Act No. 16-593 and transmitted to both Houses of Congress for its review. D.C. Law 16-237 became effective on March 8, 2007.
Miscellaneous Notes
Section 3 of D.C. Law 16-237 provided: “This act shall apply as of July 1, 2007.”