← All US breach laws·DC

District of Columbia data breach notification law

District of Columbia's data breach notification requirements under D.C. Code §§28-3851 to 28-3853 (Consumer Personal Information Security Breach Notification Act). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
D.C. Code §§28-3851 to 28-3853
Enforcer
DC Attorney General
AG notification
Required
Private right of action
Yes — residents can sue

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay, but not later than 60 days
Notify the state regulator
Yes — if more than 50 DC residents are affected, written notice to the DC AG no later than the time individuals are notified
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification not required if the breach is unlikely to result in harm — written documentation must be retained for 3 years and provided to the AG on request
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under District of Columbia law

First name/initial + last name with SSN, DL/DC ID, financial account + access code, medical info, health-insurance info, biometric data, taxpayer ID, passport, military ID, genetic info, OR username/email + password/security Q&A; ALSO standalone account + access code

Penalties and enforcement

Civil penalty up to $100 per affected resident, capped at $10,000 per breach; private right of action under DC consumer protection statute
Enforced by: DC Attorney General. Official regulator page →

Common pitfalls

DC's 50-resident AG threshold is one of the lowest — small B2C breaches still trigger regulator notice
Documentation of 'no harm' must be retained 3 years and produced on AG request — most incident-response files are deleted earlier

Frequently asked questions

How long do I have to notify District of Columbia residents after a data breach?
In the most expedient time possible and without unreasonable delay, but not later than 60 days
Do I have to notify the District of Columbia Attorney General?
Yes — if more than 50 DC residents are affected, written notice to the DC AG no later than the time individuals are notified
Does District of Columbia require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from District of Columbia's breach notification requirement?
Yes — District of Columbia has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can District of Columbia residents sue me directly for a data breach?
Yes — District of Columbia allows a private right of action. Affected residents may sue for actual damages and, in some cases, statutory damages or attorneys' fees. Class actions are common.
What counts as 'personal information' under District of Columbia law?
First name/initial + last name with SSN, DL/DC ID, financial account + access code, medical info, health-insurance info, biometric data, taxpayer ID, passport, military ID, genetic info, OR username/email + password/security Q&A; ALSO standalone account + access code
What are the penalties for failing to comply with District of Columbia's breach notification law?
Civil penalty up to $100 per affected resident, capped at $10,000 per breach; private right of action under DC consumer protection statute

Related state breach laws

Connecticut (CT)
Conn. Gen. Stat. §36a-701b
Delaware (DE)
6 Del. C. §§12B-101 to 12B-104
Florida (FL)
Fla. Stat. §501.171
Georgia (GA)
Ga. Code §§10-1-910 to 10-1-915

Pre-empt the District of Columbia breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against District of Columbia's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit