Washington, D.C. Upgrades Data Security Bill
A newly passed, local bill aims to augment the city of Washington, D.C.’s digital security by adding passport numbers, military identifications, health and biometric data and genetic profiles to its list of personally identifiable information (PII) protected under an existing breach notification law.
To be extra clear: This local legislation involves just the district of Washington, D.C. It does not refer to any type of federal legislation.
The District’s current law, which dates to 2007, only covers social security numbers, drivers’ licenses and bank cards. The amended measure, which was introduced last year by Karl Racine, the District of Columbia’s Attorney General (AG), has passed the 12-member D.C. Council and is expected to be signed into law by mayor Muriel Bowser, StateScoop reported.
“If you think of all the advancements in data use and data collection over the past 13 years, there’s an enormous difference,” Elizabeth Wilkins, a senior counsel for policy in Racine’s office, told StateScoop. “There are all kinds of things we do online now that we didn’t do before.”
In addition to expanding the list of PII walled off from hackers, the legislation also gives the AG’s office the power to prosecute companies whose sub-par cybersecurity practices left them vulnerable to an attack. In addition, a new clause in the legislation allows the AG’s office to fine companies under the District’s Consumer Protection Procedures Act. And, it further requires organizations hit by hackers to notify not only affected customers but also the District AG’s office. “Our goal with this whole bill…was to make sure we’re implementing the strongest range of metrics,” Wilkins said. “We really feel we’re in the strongest vanguard of cybersecurity and data-breach protections.”
Under the amended bill, organizations that have suffered data breaches must provide details of the break-in and their data protection set up to District authorities. The standard D.C. will employ is whether a company has implemented ‘reasonable’ cybersecurity protections. “‘Reasonable’ is a pretty normal legal standard,” Wilkins said. “That gives us flexibility. You should have sophisticated measures to keep people’s data safe.”
D.C. is among a number of cities that have put in place cybersecurity protections. A year ago, New York City’s Department of Financial Services (DFS) created a new cybersecurity division tasked with protecting consumers and industries from cyber threats.