Data Breaches and Privacy Law

Data breaches are a new part of our society’s norm – but it shouldn’t be. Companies in all types of industries—healthcare, banking, credit, and technology—make express promises to you as to how they will secure your personal and sensitive information. Your personal data should remain private. A data breach of your private personal information can cause serious harm. Many companies either don’t intend to keep these promises or lack the wherewithal to understand the necessity of protecting personal information.

District of Columbia Data Breach Laws

In DC, data breach and privacy laws apply to every individual or business that maintains, possesses, or handles information that they do not own. This includes social security numbers, driver’s licenses or state-issued ID card numbers, and debit or credit card account numbers. The District of Columbia classifies a breach of data as any unauthorized attainment of computerized or other electronic data. This classification extends to any equipment storing the data. One distinction is that employees or agents who gain access to this protected information are excluded from the data breach laws.

In DC, a company that experiences a data breach must communicate this breach to those whose data may have been compromised as soon as possible. There is not a strict timeline on how long companies have to notify their customers after a breach, however, consumers must be notified in writing or electronically as soon as reasonably possible. One exception to the written or electronic notification method is that if it would cost a company over $50,000 to notify their clients or they have over 100,000 clients to notify, they may tell their customers of a data breach through different means. Finally, companies that experience data breach violations in DC could face up to a $100 fine per violation.

Maryland Data Breach Laws

In Maryland, a data breach equates to any unauthorized acquisition of electronic data that compromises the integrity, security, and privacy of data held by an individual and business. Like DC, this does not include acquisitions of personal data by employees or agents that were made in good faith. Data protected in Maryland includes social security numbers, driver’s license numbers, financial account numbers, credit and debit card information, individual taxpayer ID number or state identification numbers, passport numbers, health information, insurance, HIPAA, and medical history data, biometric data, and user account information with security questions.

If a data breach occurs in Maryland, the company that experienced this breach must notify the attorney general within 45 days of the finding the breach and must notify their clients within a responsible time frame. The company must use written, electronic, or telephone to notify customers to notify them of the breach expect if the cost of doing so exceeds $100,000 or there are over 175,000 people to notify. If either of these values are exceeded, they may notify their customers by different means. Finally, if a company experiences a breach of data, they will be fined and punished in accordance with the consumer protection act.

Virginia Data Beach Laws

In Virginia, a data breach occurs when there is unauthorized access to unencrypted electronic personal or medical data that compromises the security of this information. Any individual, or entity including: government, corporations, partnerships, LLCs, LLPs, agencies, for-profits, non-profits, or associations that hold data can are bound by these regulations. Protected data in Virginia includes social security numbers, driver’s license or state identification numbers, financial account numbers, credit card or debit card details, physical, mental or medical history, treatment protocols or diagnosis by a health care practitioner, health insurance policy number or subscriber identification numbers, or claims or appeals of history and records.

For breaches of data in Virginia, there is no timeline on how long companies have to notify their customers. However, when they do notify their clients, it must be though mail or by telephone. An email notification may be used if the cost of the other notification methods exceeds $50,000 or the company must notify over 100,000 clients. The maximum fine for data breaches in Virginia is $150,000 per breach in the system. This is different from DC and Maryland as in Virginia if one breach occurs that places 500,000 customers at risk, a company in Virginia could only be fined $150,000 max. However, if there are three breaches that occur but only 200,000 customers are at risk, the maximum fine could be $450,000.

Contact our DC Office for More Information

Antonoplos & Associates’ consumer protection group is dedicated to consumer privacy. That means holding accountable those companies that misrepresent their data security and privacy practices and preventing companies from invading your privacy. Our practice investigates data breaches, violations of the Telephone Consumer Protection Act, Fair Credit Reporting Act violations, Fair Debt Collection Practices Act violations, and other privacy violations across the DC, Maryland, and Virginia areas. For more information regarding data breaches and privacy law, schedule a consultation with one of our attorneys or check out our blog.