Please note that log in for BLAW products will be unavailable for scheduled maintenance on Sunday, February 5th from approximately 4 AM to 5 AM EST.
Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

D.C. Attorney General Calls for Expanding Data Breach Notice Law

March 21, 2019, 8:30 PM

The District of Columbia’s top lawyer has unveiled a proposal that would expand the city’s data breach notification law and give the attorney general’s office greater enforcement power.

D.C. Attorney General Karl Racine (D) announced the Security Breach Protection Amendment Act March 21. It would regulate companies that faced “major data breaches that have put tens of millions of consumers, and hundreds of thousands of District residents, at risk of identity theft and other types of fraud.”

Racine’s proposal comes as a growing number of states and territories are pushing for local privacy laws. California’s comprehensive privacy law will take effect January 2020, and states such as Washington and New York are looking to pass their own privacy standards.

Cities such as Los Angeles and San Francisco have introduced privacy standards or brought lawsuits to hold companies accountable for alleged data misuse. Seattle and San Francisco have been active on privacy regulation and enforcement.

Companies have felt the pressure from local enforcement authorities and are pushing Congress to pass a national privacy standard to normalize the varying state and territory standards. Some companies are pushing for a federal bill because a patchwork of state privacy laws allegedly favors tech giants that can deal with the state standards.

The D.C. attorney general’s proposal would widen the district’s law to cover taxpayer identification numbers, genetic information and DNA profiles, military identification data and other types of personal information. Companies that handle personal information would have to “maintain security safeguards against unauthorized access or use of data,” under Racine’s proposed changes

The amendments would give Racine more enforcement power against tech companies by making them notify his office of any data breach. The office would have new enforcement authority over companies that fail to do so.

Racine is embroiled in litigation against Facebook Inc. over whether the company broadly misused user data. The D.C. Superior Court is set to hear arguments March 22 on whether the case should be dismissed.

“Data breaches and identity theft continue to pose major threats to District residents and consumers nationwide,” Racine said in his statement.

Racine proposed a similar bill in 2017 to increase consumer protections in the district. The bill, introduced by the council chairman at the request of the attorney general, didn’t clear the D.C. Council.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Keith Perine at