District of Columbia Data Breach Notification Laws: Reporting Rules & Timelines (2026)

The District of Columbia has one of the more aggressive data breach notification laws in the country. While many states set AG reporting thresholds at 250, 500, or even 1,000 affected residents, DC triggers that obligation at just 50 people. Combined with a private right of action that allows consumers to pursue treble damages and a mandatory 18-month identity theft protection requirement for SSN breaches, the District gives residents real tools to hold organizations accountable.

This guide covers every key provision of DC's breach notification framework, from who must comply and what triggers a notification to enforcement mechanisms and consumer remedies. For the broader picture of DC privacy protections, see the parent guide on [District of Columbia Data Privacy Laws](/us-laws/data-privacy-laws/district-of-columbia-data-privacy-laws).

The Governing Statute: DC Code 28-3851 Through 28-3853

DC's breach notification requirements are found in Subchapter II of Chapter 38 of Title 28 of the DC Code. The original law was enacted in 2007 and significantly strengthened by the Security Breach Protection Amendment Act of 2020 (D.C. Law 23-98), which took effect on June 17, 2020.

The subchapter now contains six sections:

• DC Code 28-3851: Definitions
• DC Code 28-3852: Notification of security breach
• DC Code 28-3852.01: Security requirements
• DC Code 28-3852.02: Remedies (identity theft protection)
• DC Code 28-3852.03: Rulemaking authority
• DC Code 28-3853: Enforcement

The 2020 amendment expanded the definition of personal information, added mandatory security requirements, created the AG notification obligation, and established remedies for breaches involving Social Security numbers.

Who Must Comply

The law applies to any person or entity that conducts business in the District of Columbia and owns or licenses computerized or other electronic data that includes personal information of DC residents. It also applies to entities that maintain, handle, or otherwise possess such data on behalf of the data owner.

DC government agencies are excluded from the definition of "person or entity" under the statute, though they may be subject to separate data protection requirements.

If you are a third-party service provider holding personal information on behalf of another organization, you must notify the data owner or licensee when you discover a breach. The data owner then bears the responsibility for notifying affected residents.

What Counts as Personal Information

DC Code 28-3851 defines personal information broadly. It includes an individual's first name or initial and last name, or phone number, or address, combined with any of the following data elements:

• Social Security number
• Driver's license or DC identification card number
• Passport number
• Taxpayer identification number
• Military ID number
• Financial account number (credit or debit card number with any required security code, access code, or password)
• Medical information (any data about dental, medical, or mental health treatment or diagnosis by a health care provider)
• Genetic information (as defined under HIPAA at 45 C.F.R. 160.103)
• Health insurance information (policy number or subscriber ID combined with a unique identifier used by the insurer)
• Biometric data (fingerprints, voice prints, retina or iris images, or other unique biological characteristics used for authentication)
• Email address combined with a password, security question answer, or other authenticating data

This is one of the broader definitions among US jurisdictions. The inclusion of biometric data, genetic information, medical records, and email credentials goes well beyond the name-plus-SSN model that older state laws used.

Publicly available information lawfully accessible from federal, state, or local government records is excluded.

What Triggers a Notification

A notification obligation arises when there is a "breach of the security of the system," defined as the unauthorized acquisition of computerized or other electronic data, or any equipment or device storing such data, that compromises the security, confidentiality, or integrity of personal information.

Three situations are excluded from the definition:

1. Good-faith employee access. If an employee or agent accesses personal information in the course of their duties and does not use or disclose it in an unauthorized way, that is not a breach.
2. Encrypted or redacted data. Acquisition of data that has been rendered secure through encryption or redaction is not a breach, unless the encryption keys or redaction methods were also compromised.
3. No risk of harm. After a good-faith investigation, if the entity reasonably determines that the acquired information is unlikely to cause harm to the affected individuals, notification is not required.

The encryption safe harbor is significant. If your organization encrypts personal information at rest and in transit, and an unauthorized party gains access to the encrypted data but not the decryption keys, you are not required to notify.

Notification Timeline and Requirements

When to Notify

DC Code 28-3852 requires notification "in the most expedient time possible and without unreasonable delay." The statute does not set a hard deadline measured in calendar days, unlike states that specify 30, 45, or 60 days.

The timeline must be consistent with:

• The legitimate needs of law enforcement (notification can be delayed if law enforcement determines it would impede a criminal investigation)
• Measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system

Once any law enforcement delay is lifted, notification must proceed as soon as possible.

What the Notice Must Include

Written breach notifications to affected DC residents must contain:

• A description of the categories of personal information that were, or are reasonably believed to have been, compromised
• Contact information for the notifying entity
• Phone numbers for major consumer reporting agencies
• Information about how to place a security freeze on credit reports
• Contact information for the Federal Trade Commission and the DC Office of the Attorney General
• Guidance on identity theft prevention from the FTC and the AG

Methods of Notice

Notification can be delivered through:

• Written notice sent to the last known postal address of the affected individual
• Electronic notice if the entity has a valid email address and the individual has consented to electronic communication
• Substitute notice if the cost of direct notice would exceed $50,000, the affected group exceeds 100,000 individuals, or the entity lacks sufficient contact information (substitute notice requires email to known addresses, conspicuous website posting, and notification to major DC-area media outlets)

The 50-Resident AG Notification Threshold

One of DC's most distinctive provisions is its low threshold for notifying the Attorney General. Under DC Code 28-3852(b-1), when a breach affects 50 or more District residents, the entity must send written notice to the Office of the Attorney General.

For comparison, many states set this threshold at 250 or 500, and some have no AG notification requirement at all. DC's low bar means that even a relatively small breach involving personal information of DC residents will require a formal report to the AG.

The AG notice must be provided "in the most expedient manner possible, without unreasonable delay" and no later than the time at which notice is sent to affected residents. The notice to the AG must include:

• The nature of the breach
• The types of personal information compromised
• The number of DC residents affected
• The cause of the breach, if known
• Remedial actions taken or planned
• The date and time frame of the breach
• The address of corporate headquarters if the entity is located outside the District

When 1,000 or more individuals are notified, the entity must also inform nationwide consumer reporting agencies about the timing, distribution, and content of the notifications.

Mandatory Identity Theft Protection

DC Code 28-3852.02 requires that when a breach includes or is reasonably believed to include a Social Security number or taxpayer identification number, the entity must offer each affected DC resident identity theft protection services at no cost for at least 18 months.

The entity must also provide all information necessary for residents to enroll in those services. This is not optional or discretionary. Any breach involving SSNs or taxpayer IDs automatically triggers this obligation.

This 18-month requirement is longer than the 12-month standard that many states use, giving DC residents an extended period of monitoring after their most sensitive identifiers are compromised.

Data Security Requirements

The 2020 amendment added DC Code 28-3852.01, which imposes affirmative security obligations. Any entity that possesses personal information of DC residents must "implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information."

This standard requires organizations to consider the sensitivity of the data and the size and complexity of their operations when designing security measures. The law does not prescribe specific technical controls, instead using the "reasonable" standard common in data security regulation.

Third-Party Service Providers

When entities engage third-party service providers that will handle personal information, they must execute written agreements requiring those providers to maintain reasonable security procedures and practices appropriate to the nature of the data.

Records Destruction

When destroying physical or digital records containing personal information, entities must take reasonable steps to prevent unauthorized access. Factors to consider include the sensitivity of the records, the size of the business, available technology, and the cost of destruction methods.

Federal Compliance Safe Harbor

Organizations that comply with the data security requirements of the Gramm-Leach-Bliley Act (Title V), HIPAA, or the HITECH Act are deemed to satisfy DC's security requirements automatically. This safe harbor applies to the security provisions only. It does not exempt organizations from the separate notification requirements, and entities that qualify for the security safe harbor must still notify the AG when 50 or more DC residents are affected by a breach.

Enforcement and Penalties

Unfair or Deceptive Trade Practice Classification

DC Code 28-3853 classifies any violation of the breach notification subchapter as an unfair or deceptive trade practice under DC Code 28-3904(kk). This is a powerful enforcement mechanism because it opens up all the remedies available under DC's Consumer Protection Procedures Act.

Private Right of Action

DC residents have a private right of action under DC Code 28-3905(k). Consumers injured by a violation of the breach notification law can file suit in DC Superior Court and recover:

• Treble damages or $1,500 per violation, whichever is greater
• Reasonable attorney fees
• Punitive damages in appropriate cases
• Injunctive relief to stop ongoing violations
• Any other relief the court determines proper

For violations of the data security requirements specifically (Section 28-3852.01), consumers may recover actual damages. The treble damages provision applies to notification violations under Section 28-3852.

This combination of treble damages and attorney fee recovery creates a meaningful incentive for private enforcement, even when individual losses from a breach are relatively small.

Attorney General Enforcement

The DC Attorney General can bring enforcement actions in DC Superior Court seeking injunctive relief and restitution. The AG is not required to prove damages to obtain an injunction, and no bond is required. The AG's office has actively pursued data breach enforcement actions.

Recent enforcement actions include a settlement of over $350,000 against software firm Blackbaud in a multistate action involving a ransomware attack that exposed personal information of nonprofits and schools. DC also participated in the $600 million Equifax settlement and a $148 million Uber settlement over delayed breach notification.

Cumulative Remedies

The statute specifies that the rights and remedies available under the breach notification law are cumulative to each other and to any other rights and remedies available under law. This means consumers can pursue claims under both the breach notification statute and any other applicable laws simultaneously.

Federal Compliance and Preemption

Entities that comply with the breach notification provisions of the Gramm-Leach-Bliley Act or HIPAA are deemed to be in compliance with DC's resident notification requirements under DC Code 28-3852. However, this safe harbor does not exempt those entities from the AG notification requirement. Even HIPAA-covered entities must notify the DC Attorney General when a breach affects 50 or more DC residents.

There is no federal preemption of DC's breach notification law. The federal safe harbor provisions are additive, not preemptive, meaning organizations must still meet DC-specific requirements that go beyond federal mandates.

---

This article provides general legal information about District of Columbia data breach notification laws and is not legal advice. Data breach notification requirements involve time-sensitive obligations and potential penalties. Consult a licensed attorney in the District of Columbia for guidance on your specific situation.