On March 26, the mayor of the District of Columbia signed Act 23-268 to expand data privacy and consumer protection measures. Among other things, the “Security Breach Protection Amendment Act of 2020” (i) expands the definition of personal information subject to the Act; (ii) specifies the required contents of a security breach notification and requires that written notice of a breach involving 50 or more District residents be provided to the District’s attorney general; (iii) specifies security requirements for the protection of personal information, including for nonaffiliated third-party service providers; (iv) requires consumers to be provided at least 18 months of non-cost identity theft prevention services for data breaches involving the release of a social security or tax identification number; and (v) stipulates that a violation of these requirements is considered an unfair or deceptive trade practice. The Act takes effect following a 30-day congressional review period and publication in the District of Columbia Register.