The Honorable Phil Mendelson
Chair, Council of the District of Columbia
Chair, Committee of the Whole
Wilson Building, Room 412
1350 Pennsylvania Avenue, N.W.
Washington, DC 20004

RE: DC B23-215, A Bill Regarding Data Privacy Protection

Dear Chair Mendelson:

The Securities Industry and Financial Markets Association1 is a national trade association which brings together the shared interests of over 340 broker-dealers, banks and asset managers, many of whom have a strong presence in the District of Columbia. We thank you for the opportunity to provide feedback on B23-215, which would generally modernize the District’s data breach law while keeping the law in line with similar requirements across the country.

SIFMA generally supports such efforts and commends Attorney General Racine and the Council on their efforts in this space. Below we have included several suggestions for your review that would both strengthen consumer protections and increase the proposed framework’s efficiency:

• The Need to Expand the Gramm-Leach-Bliley Act Compliance Provision

The current law states that entities subject to Title V of the GLBA, and who provide notice of a breach in accordance with that Act, are deemed to be compliant with the District’s law. As currently drafted, B23-215 would add two new provisions to the existing law, both of which would be outside of the GLBA deemed-compliance provision: notification to the District Attorney General, and an additional security requirement. We urge you to consider expanding the GLBA deemed-compliance provision to include both provisions, or at least modifying the notification provision, for the reasons discussed below.