Code of the District of Columbia

§ [28-3852.01]. Security requirements.

(a) To protect personal information from unauthorized access, use, modification, disclosure, or a reasonably anticipated hazard or threat, a person or entity that owns, licenses, maintains, handles, or otherwise possesses personal information of an individual residing in the District shall implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and the nature and size of the entity or operation.

(b) A person or entity that uses a nonaffiliated third party as a service provider to perform services for a person or entity and discloses personal information about an individual residing in the District under a written agreement with the third party shall require by the agreement that the third party implement and maintain reasonable security procedures and practices that:

(1) Are appropriate to the nature of the personal information disclosed to the nonaffiliated third party; and

(2) Are reasonably designed to protect the personal information from unauthorized access, use, modification, and disclosure.

(c) When a person or entity is destroying records, including computerized or electronic records and devices containing computerized or electronic records, that contain personal information of a consumer, employee, or former employee of the person or entity, the person or entity shall take reasonable steps to protect against unauthorized access to or use of the personal information, taking into account:

(1) The sensitivity of the records;

(2) The nature and size of the business and its operations;

(3) The costs and benefits of different destruction and sanitation methods; and

(4) Available technology.

(d) A person or entity who is subject to and in compliance with requirements for security procedures and practices contained in Title V of the Gramm-Leach-Bliley Act, approved November 12, 1999 (113 Stat. 1436; 15 U.S.C. § 6801 et seq.), or the Health Insurance Portability Accountability Act of 1996, approved August 21, 1996 (Pub. L. No. 104-191; 110 Stat. 1936), or the Health Information Technology for Economic and Clinical Health Act, approved February 17, 2009 (Pub. L. No.111-5; 123 Stat. 226), and any rules, regulations, guidance and guidelines thereto, shall be deemed to be in compliance with this section.".


(June 17, 2020, D.C. Law 23-98, § 2(a)(5), 67 DCR 3923.)