Top District Prosecutor Aims to Improve Consumer Breach Protection Scott Ferguson • March 22, 2019
The top prosecutor for Washington, D.C., is looking to strengthen the District’s data breach laws, offering greater protection for consumers and holding businesses more accountable when they lose data during a breach or mishandle information such as social security numbers or residents’ healthcare details.
District Attorney General Karl A. Racine introduced the Security Breach Protection Amendment Act of 2019 on Thursday. This new legislation would effectively update and modernize the District’s existing laws regarding identity theft and data loss. The mayor and council still need to approve the measure, and Congress also has 30 days to review the amendment since the federal government has say over local laws due to the Home Rule Act.
At the heart of the amendment is an expanded view of what constitutes “personal information” for those living in the District. Right now, current laws protect social security numbers, driver’s license numbers, along with credit card and debit card numbers. If the measure passes, it would expand protection to include passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information.
The attorney general’s office cited the Equifax breach of 2017 as one reason why the local laws protecting consumers need to be expanded. Of the 143 million people affected by that incident, 350,000 lived in the District, according to the AG.
In broad strokes, the amendment also requires companies to better protect the data they collect and offer services to residents, such as identity theft protection if Social Security or tax identification numbers are exposed. Companies also need to inform victims of their rights following a breach and loss of personal information.
In a nod to the European Union’s General Data Protection Regulation, the proposal would require any company that is breached to report the incident to the attorney general’s office, which is similar to the EU’s rules requiring businesses that sustain an cyberattack to report it to government officials within a 72-hour window. (It’s not clear if the District law has a specific timeframe.)
A spokesperson for the attorney general’s office was not immediately available for comment, but in a statement posted to its website, Racine noted that: “The District’s current data security law does not adequately protect residents. Today’s amendment will bolster the District’s ability to hold companies responsible when they collect and use vast amounts of consumer data and do not protect it.”
The proposal in the District is one of several new legislative measures making their way through various legislatures throughout the U.S. The most prominent of these is in California and known at AB 375 or the California Consumer Privacy Act, which mirrors some of the protections offered by GDPR and allows residents to request information that companies collect on them. As the home of Silicon Valley, California is now considered the leading edge about how consumers are trying to gain back some control over their personal data.
AB 375 was signed into law in 2018, but is not scheduled to take effect until 2020.
Other states, including Washington and New York, are also weighing new state-wide laws.
On even more local level, the District is joining other cities such as Los Angeles, San Francisco and Seattle that are offering greater protections for consumers and attempting to hold enterprises more accountable for the data they collect and lose either by accident or through a breach.
In San Francisco, for example, voters approved a ballot measure in 2018 that now requires companies to better protect the information they collect, and businesses must disclose what data they collect in order to win government contracts.
At this month’s RSA Conference in San Francisco, Jon Callas, a security expert and software engineer who now holds the title of technology fellow at the American Civil Liberties Union, pointed to these and other local laws that are starting to strengthen protections for consumers. He did note that these issues are likely to be debated over the next 30 to 40 years.
The question now is whether Congress will pass a federal consumer data protection law that will supersede all of these local laws. For the third time in as many years, this type of law has now been proposed by the U.S. Senate and House, although it’s not clear whether it will pass or be signed into law by the president.
AG in the Spotlight
As the top law enforcement officer for the District, Ravine has been using issues of privacy and data protection to build a public profile.
Ravine, a Democrat, is currently suing Facebook over the data that Cambridge Analytica collected on approximately 87 million users without their consent. The District attorney general was one of the first government agencies to take the social media network to task over the scandal.
More recently, Ravine subpoenaed the records of President Trump’s inaugural committee to see if anyone illegally benefited from the spending on the event.