(a) Except to the extent prohibited by law other than this chapter, the Administrator or Administrator's agent shall notify a holder as soon as practicable of:
- (1) A suspected loss, misuse or unauthorized access, disclosure, modification, or destruction of confidential information obtained from the holder in the possession of the Administrator or an Administrator's agent; and
(2) Any interference with operations in any system hosting or housing confidential information that:
- (A) Compromises the security, confidentiality, or integrity of the information; or
- (B) Creates a substantial risk of identity fraud or theft.
- (b) Except as necessary to inform an insurer, attorney, investigator, or others as required by law, the Administrator and an Administrator's agent may not disclose, without the express consent in a record of the holder, an event described in subsection (a) of this section to a person whose confidential information was supplied by the holder.
(c) If an event described in subsection (a) of this section occurs, the Administrator and the Administrator's agent shall:
- (1) Take action necessary for the holder to understand and minimize the effect of the event and determine its scope; and
(2) Cooperate with the holder with respect to:
- (A) Any notification required by law concerning a data or other security breach; and
- (B) A regulatory inquiry, litigation, or similar action.
History
Nov. 13, 2021, D.C. Law 24-45, § 7088