Timing of Consumer Notification
“In the most expedient time possible and without unreasonable delay.”
Method of Notice
Mail. Email permitted if complies with E-SIGN.
Breach Definition
Unauthorized acquisition of data, or any equipment or device storing such data, that compromises security, confidentiality, or integrity of personal information maintained by person or business.
PII Definition

Individual’s first name or first initial and last name, or phone number, or address, and any of these:

  1. Social Security number;
  2. Driver’s license number or District of Columbia Identification Card number;
  3. Credit card number or debit card number; or
  4. Any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account.
Third Party Notice
If data collector maintains covered information for someone else, it must notify them following discovery of breach in most expedient time possible.
How to Notify
No specific content requirement.
Substitute Notice

All: (a) email when person or business has email address for subject persons; (b) conspicuous posting of notice on website page of person or business if it maintains one; and (c) notice to major local and, if applicable, national media.

Credit Monitoring
Not required.
When to Notify Credit Agencies
If more than 1,000 D.C. residents must be notified.
This State's Law
None.
State Government Agency Notification Required
Not required.