Back to District of Columbia

B26-0427 • 2025

Cybersecurity and Accountability Act of 2025

Cybersecurity and Accountability Act of 2025

Technology
Active

The official status still shows this bill as active or still awaiting another formal step.

Sponsor
at the request of the Mayor
Last action
2026-07-14
Official status
Under Council Review
Effective date
Not listed

Plain English Breakdown

The provided text is truncated at Section 103(b)(5), so the complete list of required safeguards cannot be verified from this excerpt alone.

Cybersecurity and Accountability Act of 2026

This bill requires insurance licensees in Washington, D.C., to create written security plans for protecting private information and report cybersecurity events to the Department of Insurance, Securities, and Banking.

What This Bill Does

  • Requires licensed insurers and producers to develop a comprehensive written plan with safeguards to protect nonpublic information.
  • Mandates that licensees conduct risk assessments to identify threats and evaluate their security systems.
  • Orders licensees to notify the Commissioner of cybersecurity events involving unauthorized access or misuse of data.
  • Defines specific rules for what counts as a cybersecurity event, including exceptions for encrypted data where keys were not stolen.

Who It Names or Affects

  • Insurance companies and agents licensed in Washington, D.C., excluding groups chartered outside the District.
  • Consumers who live in the District of Columbia and whose private information is held by these licensees.
  • The Department of Insurance, Securities, and Banking.

Terms To Know

Licensee
Any person or company licensed to sell insurance in the District, excluding groups chartered outside D.C. or assuming insurers from other states.
Cybersecurity event
An incident involving unauthorized access to systems or data, unless encrypted data was stolen without its key, or if accessed data was returned and not used.
Nonpublic information
Private details like Social Security numbers, bank accounts, health records, or business secrets that are not available to the public.

Limits and Unknowns

  • The bill text provided ends before listing all required security steps.
  • The official status shows the bill is under review with no effective date listed yet.
  • The full list of specific safeguards in the information security program is not included in the excerpt.

Bill History

  1. 2026-07-14 Council of the District of Columbia LIMS

    Legislative Meeting

  2. 2026-07-08 Council of the District of Columbia LIMS

    Committee Mark-up of B26-0427 by the Health Committee

  3. 2026-06-15 Council of the District of Columbia LIMS

    Public Hearing on B26-0427

  4. 2026-06-05 Council of the District of Columbia LIMS

    Notice of Public Hearing Published in the District of Columbia Register

  5. 2026-06-02 Council of the District of Columbia LIMS

    Revised Notice of Public Hearing filed in the Office of Secretary by Health

  6. 2026-05-08 Council of the District of Columbia LIMS

    Notice of Public Hearing Published in the District of Columbia Register

  7. 2026-05-04 Council of the District of Columbia LIMS

    Notice of Public Hearing filed in the Office of Secretary by Health

  8. 2026-03-03 Council of the District of Columbia LIMS

    Re-Referred to Committee on Health

  9. 2026-02-27 Council of the District of Columbia LIMS

    Re-Referral published.

  10. 2025-10-21 Council of the District of Columbia LIMS

    Referred to Committee on Business and Economic Development

  11. 2025-10-17 Council of the District of Columbia LIMS

    Notice of Intent to Act on B26-0427 Published in the District of Columbia Register

  12. 2025-10-08 Council of the District of Columbia LIMS

    B26-0427 Introduced by Chairman Mendelson at Office of the Secretary

Official Summary Text

Cybersecurity and Accountability Act of 2025

Current Bill Text

Read the full stored bill text
1
Committee Print B26-0427 1 Committee on Health 2 July 8, 2026 3 4 A BILL 5 6 ________________________ 7 8 9 IN THE COUNIL OF THE DISTRICT OF COLUMBIA 10 11 ________________________ 12 13 14 To require that insurance licensees establish standards for data security, investigating 15 cybersecurity events, and notifying the Commissioner of the Department of Insurance, 16 Securities and Banking of cybersecurity events; and to amend the Freedom of 17 Information Act of 1976 to make a conforming change. 18 19 BE IT ENACTED BY THE COUNCIL OF THE DISTRICT OF COLUMBIA, That this 20 act may be cited as the “Cybersecurity and Accountability Amendment Act of 2026”. 21 TITLE I. CYBERSECURITY AND ACCOUNTABILITY REQUIREMENTS. 22 Sec. 101. Short title. 23 This title may be known as the “Cybersecurity and Accountability Act of 2026”. 24 Sec. 102. Definitions. 25 For the purposes of this title, the term: 26 (1) “Authorized individual” means an individual known to, and screened by, the 27 licensee, and to whom the licensee has determined access to the nonpublic information held 28 by the licensee and its information systems is necessary and appropriate. 29 (2) “Commissioner” means the Commissioner of the Department of Insurance, 30 Securities, and Banking. 31
2
(3) “Consumer” means a person, including an applicant, policyholder, insured, 32 beneficiary, claimant, or certificate holder who is a resident of the District and whose nonpublic 33 information is in a licensee’s possession, custody, or control. 34 (4) “Cybersecurity event” means an event resulting in unauthorized access to, or 35 disruption or misuse of, an information system or nonpublic information stored on the 36 information system but does not include: 37 (A) The unauthorized acquisition of encrypted nonpublic information if 38 the encryption, process, or key is not also acquired, released, or used without authorization; or 39 (B) An event where the licensee has determined that the nonpublic 40 information accessed by an unauthorized person has not been used or released and has been 41 returned or destroyed. 42 (5) “Department” means the Department of Insurance, Securities, and Banking. 43 (6) “Encrypted” means the transformation of data into a form which results in a 44 low probability of assigning meaning to the data without the use of a protective process or key. 45 (7) “Information security program” means the administrative, technical, and 46 physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, 47 transmit, dispose of, or otherwise handle nonpublic information. 48 (8) “Information system” means a discrete set of electronic information resources 49 organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition 50 of electronic information, as well as any specialized system, such as an industrial or process 51 controls system, telephone switching and private branch exchange system, or environmental 52 control system. 53
3
(9) “Licensee” means any person licensed, authorized to operate, or registered, or 54 required to be licensed, authorized, or registered by the Department, as an insurance producer or 55 insurer, as those terms are defined under section 2(6) and (7) of the Producer Licensing Act of 56 2002, effective March 27, 2003 (D.C. Law 14-264; D.C. Official Code § 31-1131.02(6) and (7)); 57 except, that the term “licensee” shall not include a purchasing or a risk retention group chartered 58 and licensed in a jurisdiction other than the District or a person acting as an assuming insurer that 59 is domiciled in another state or jurisdiction. 60 (10) “Multi-factor authentication” means authentication through verification of at 61 least 2 of the following types of authentication factors: 62 (A) Knowledge factors, such as a password; 63 (B) Possession factors, such as a token or text message on a mobile phone; 64 or 65 (C) Inherence factors, such as a biometric characteristic. 66 (11) “Nonpublic information” means information that is not publicly available 67 information and is: 68 (A) Business-related information of a licensee, the tampering with, or 69 unauthorized disclosure, access, or use of which, would cause a material adverse impact to the 70 business, operations, or security of the licensee; 71 (B) Any information concerning a consumer that, because of name, 72 number, personal mark, or other identifier, can be used to identify the consumer, in combination 73 with at least one of the following data elements: 74 (i) Social Security number; 75
4
(ii) Driver’s license number or non-driver identification card 76 number; 77 (iii) Bank account number or credit or debit card number; 78 (iv) Any security code, access code, or password that would permit 79 access to a consumer’s financial account; or 80 (v) Biometric records; or 81 (C) Any information or data, except age or gender, in any form or medium 82 created by, or derived from, a health care provider or a consumer and that relates to the: 83 (i) Past, present, or future physical, mental, or behavioral health or 84 condition of a consumer or a member of the consumer’s family; 85 (ii) Provision of health care to a consumer; or 86 (iii) Payment for the provision of health care to a consumer. 87 (12)(A) “Publicly available information” means any information that a licensee 88 has a reasonable basis to believe is lawfully made available to the general public from: 89 (i) Federal, state, or local government records; 90 (ii) Widely distributed media; or 91 (iii) Disclosures to the general public that are required to be made 92 by federal, state, or local law. 93 (B) For purposes of this paragraph, a licensee has a reasonable basis to 94 believe that information is lawfully made available to the general public if the licensee has taken 95 steps to determine: 96 (i) That the information is of the type that is available to the 97 general public; and 98
5
(ii) Whether a consumer can direct that the information not be 99 made available to the general public and, if so, that the consumer has chosen not to do so. 100 (13) “Risk assessment” means the assessment that a licensee is required to 101 conduct under section 103(b). 102 (14) “Third-Party service provider” means a person that is not a licensee and that 103 contracts with a licensee to maintain, process, or store nonpublic information, or otherwise is 104 permitted access to nonpublic information through its provision of services to the licensee. 105 Sec. 103. Information security program. 106 (a) Each licensee shall develop, implement, and maintain a comprehensive written 107 information security program based on the licensee’s risk assessment, which shall include 108 administrative, technical, and physical safeguards for the protection of nonpublic information 109 and the licensee’s information system. The information security program shall: 110 (1) Be designed to protect the security and confidentiality of nonpublic 111 information and the security of the information system; 112 (2) Be designed to protect against any threats or hazards to the security or 113 integrity of nonpublic information and the information system; 114 (3) Be designed to protect against unauthorized access to, or use of, nonpublic 115 information, and minimize the likelihood of harm to any consumer; and 116 (4) Define and periodically reevaluate a schedule for the retention of nonpublic 117 information and a mechanism for its destruction when no longer needed. 118 (b) The licensee shall conduct a risk assessment as part of its obligations to establish an 119 information security system, which shall: 120
6
(1) Designate one or more employees, an affiliate, or an outside vendor 121 designated to act on behalf of the licensee who is responsible for the licensee’s information 122 security program; 123 (2) Identify reasonably foreseeable internal or external threats that could result in 124 unauthorized access, transmission, disclosure, misuse, alteration, or destruction of nonpublic 125 information, including the security of information systems and nonpublic information that are 126 accessible to, or held by, third-party service providers; 127 (3) Assess the likelihood and potential damage of these threats, taking into 128 consideration the sensitivity of the nonpublic information; 129 (4) Assess the sufficiency of policies, procedures, information systems, and other 130 safeguards in place to manage these threats, including consideration of threats in each relevant 131 area of the licensee’s operations, including: 132 (A) Employee training and management; 133 (B) Information systems, including network and software design, 134 information classification, governance, processing, storage, transmission, and disposal; and 135 (C) Detecting, preventing, and responding to attacks, intrusions, or other 136 systems failures; and 137 (5) Implement information safeguards to manage the threats identified under 138 paragraph (2) of this subsection in an operative continuous assessment, and, on an annual basis, 139 assess the effectiveness of the safeguards’ key controls, systems, and procedures. 140 (c) Based on its risk assessment, the licensee’s information security system shall: 141 (1) Be designed to mitigate the identified risks, commensurate with the size and 142 complexity of the licensee’s activities, including its use of third-party service providers and the 143
7
sensitivity of the nonpublic information and certain public information, including personally 144 identifiable information, used by the licensee or in the licensee’s possession, custody, or control; 145 (2) Assess which of the following security measures are appropriate and 146 implement such security measures: 147 (A) Place access controls on information systems, including controls to 148 authenticate and permit access only by authorized individuals; 149 (B) Identify and manage the data, personnel, devices, systems, and 150 facilities that enable the licensee to achieve business purposes in accordance with their relative 151 importance to business objectives and the licensee’s risk assessment; 152 (C) Restrict access at physical locations containing nonpublic information 153 only to authorized individuals; 154 (D) Protect by encryption or other appropriate means all nonpublic 155 information while being transmitted over an external network and all nonpublic information 156 stored on a laptop computer or other portable computing or storage device or media; 157 (E) Adopt secure development practices for in-house developed 158 applications utilized by the licensee and procedures for evaluating, assessing, or testing the 159 security of externally developed applications utilized by the licensee; 160 (F) Modify the information system in accordance with the licensee’s 161 information security program; 162 (G) Utilize effective controls, which may include multi-factor 163 authentication procedures, for any individual accessing nonpublic information; 164 (H) Regularly test and monitor systems and procedures to detect actual 165 and attempted attacks on, or intrusion into, information systems; 166
8
(I) Include audit trails within the information security program designed to 167 detect and respond to cybersecurity events and to reconstruct material financial transactions 168 sufficient to support normal operations and obligations of the licensee; 169 (J) Implement measures to protect against destruction, loss, or damage of 170 nonpublic information due to environmental hazards, such as fire and water damage or other 171 catastrophes or technological failures; and 172 (K) Develop, implement, and maintain procedures for the secure disposal 173 of nonpublic information in any format; 174 (3) Include cybersecurity risks in the licensee’s enterprise risk management 175 process; 176 (4) Stay informed on emerging threats or vulnerabilities and utilize reasonable 177 security measures when sharing information relative to the character of the sharing and the type 178 of information shared; and 179 (5) Provide personnel with cybersecurity awareness training that is updated as 180 necessary to reflect risks identified by the licensee in the risk assessment. 181 (d) Notwithstanding subsection (c)(2) of this section, the Commissioner may issue 182 additional security measures through rulemaking. 183 (e)(1) Beginning on February 15 of the year after the effective date of this title, and 184 annually thereafter, each licensee shall submit a written statement to the Commissioner 185 confirming that the insurer is in compliance with the requirements of this section. 186 (2) Each licensee shall maintain for examination by the Department all records, 187 schedules, and data supporting its annual written statement for a period of 5 years. To the extent 188 the licensee has identified areas, systems, or processes that require material improvement, 189
9
updating, or redesign, it shall document the identification and the remedial efforts planned and 190 underway to address those areas, systems, or processes, which shall be available for inspection 191 by the Commissioner. 192 Sec. 104. Investigation and notification of a cybersecurity event. 193 (a) If the licensee learns that a cybersecurity event has or may have occurred in its 194 information system or a system maintained by a third-party service provider, the licensee, an 195 outside vendor or service provider designated to act on behalf of the licensee, or the third-party 196 service provider shall conduct a prompt investigation, which shall at a minimum and to the 197 extent possible: 198 (1) Determine whether a cybersecurity event has occurred; 199 (2) Assess the nature and scope of the cybersecurity event; 200 (3) Identify any nonpublic information that may have been involved in the 201 cybersecurity event; and 202 (4) Perform or oversee reasonable measures to restore the security of the 203 information system compromised in the cybersecurity event to prevent further unauthorized 204 acquisition, release, or use of nonpublic information in the licensee’s possession, custody, or 205 control. 206 (b) The licensee shall maintain records concerning each cybersecurity event for a period 207 of at least 5 years from the date of cybersecurity event and shall produce those records to the 208 Commissioner upon request. 209 (c) A licensee shall notify the Commissioner of a cybersecurity event no later than 3 210 business days after a determination that a cybersecurity event has occurred, if: 211
10
(1) The District is the licensee’s jurisdiction of domicile in the case of an insurer 212 or the District is the licensee’s home jurisdiction in the case of an insurance producer, as those 213 terms are defined in section 2(7) and (6) of the Producer Licensing Act of 2002, effective March 214 27, 2003 (D.C. Law 14-264; D.C. Official Code § 31-1131.02(7) and (6)), respectively; or 215 (2) The licensee reasonably believes that the nonpublic information involves 250 216 or more consumers residing in the District and the cybersecurity event: 217 (A) Requires notice to a government body, self-regulatory agency, or any 218 other supervisory body pursuant to any state or federal law; or 219 (B) Has a reasonable likelihood of materially harming: 220 (i) A consumer residing in the District; or 221 (ii) Any material part of the normal operations of the licensee. 222 (d) Notwithstanding subsection (c) of this section, if the cybersecurity event occurs in a 223 system maintained by a third-party service provider, the licensee shall notify the Commissioner 224 no later than 3 days after the third-party service provider notifies the licensee of the 225 cybersecurity event or the licensee has actual knowledge of the cybersecurity event, whichever is 226 sooner; 227 (e)(1)(A) In the case of a cybersecurity event involving nonpublic information that is 228 used by or is in the possession, custody, or control of a licensee that is acting as an assuming 229 insurer and that does not have a direct contractual relationship with the affected consumers, the 230 assuming insurer shall notify its affected ceding insurers and the insurance regulatory agency of 231 its jurisdiction of domicile within 3 business days of determining that a cybersecurity event has 232 occurred; and 233
11
(B) The ceding insurers that have a direct contractual relationship with 234 affected consumers shall fulfill the consumer notification requirements imposed under D.C. 235 Official Code § 28-3852, and any other notification requirements relating to a cybersecurity 236 event imposed under this section. 237 (2)(A) In the case of a cybersecurity event involving nonpublic information that is 238 in the possession, custody, or control of a third-party service provider of a licensee that is an 239 assuming insurer, the assuming insurer shall notify its affected ceding insurers and the insurance 240 regulatory agency of its jurisdiction of domicile within 3 business days of receiving notice from 241 its third-party service provider that a cybersecurity event has occurred; 242 (B) The ceding insurers that have a direct contractual relationship with 243 affected consumers shall fulfill the consumer notification requirements imposed under D.C. 244 Official Code § 28-3852, and any other notification requirements relating to a cybersecurity 245 event imposed under this section. 246 (f) In the case of a cybersecurity event involving nonpublic information that is in the 247 possession, custody, or control of a licensee that is an insurer or its third-party service provider 248 for which a consumer accesses the insurer’s services through an independent insurance producer, 249 the insurer shall notify the producers of record of all affected consumers as soon as practicable as 250 directed by the Commissioner. The licensee is excused from the obligation to provide notice to 251 individual consumers where the licensee does not have the current producer of record 252 information for those consumers. 253 Sec. 105. Powers of the Commissioner and penalties. 254 (a) The Commissioner shall have the power to examine and investigate the affairs of any 255 licensee to determine whether the licensee has or is engaged in conduct in violation of this title, 256
12
in accordance with the Law on Examinations Act of 1993, effective October 21, 1993 (D.C. Law 257 10-49; D.C. Official Code § 31-1401 et seq.). 258 (b) An insurer found, without just cause as defined by the Commissioner by rule, to be in 259 violation of this title, after notice and hearing conducted according to the rules for contested 260 cases set forth in Chapter 38 of Title 26A of the District of Columbia Municipal Regulations, 261 shall pay a penalty in an amount not to exceed $1,000 per day; except, that the maximum penalty 262 assessed shall be no more than $25,000. 263 (c) The Commissioner may, through rulemaking, establish other penalties for violations 264 of this title. 265 266 Sec. 106. Confidentiality. 267 (a)(1) Documents, materials, or other information in the control or possession of the 268 Department that are furnished by a licensee, or agent acting on behalf of a licensee, pursuant to 269 sections 103 and 104, or that are obtained by the Commissioner in an investigation or 270 examination pursuant to section 105, are confidential and privileged and shall not be subject to: 271 (A) Disclosure under the Freedom of Information Act of 1976, effective 272 March 25, 1977 (D.C. Law 1-96; D.C. Official Code § 2-531 et seq.); 273 (B) Subpoena; or 274 (C) Discovery or be admissible in evidence in a private civil action; 275 except, that the Commissioner may use the documents, materials, or other information in the 276 furtherance of an action brought as part of the Commissioner’s duties. 277 (2) Neither the Commissioner nor any person who receives documents, materials, 278 or other information while acting under the authority of the Commissioner shall be permitted to 279
13
testify in any private civil action concerning any confidential documents, materials, or 280 information received pursuant to subsection (a) of this section. 281 (b) The Commissioner may: 282 (1) Share documents, materials, or other information, including the confidential 283 and privileged documents, materials, or information subject to subsection (a) of this section with 284 other state, federal, and international regulatory agencies, with the National Association of 285 Insurance Commissioners (“NAIC”), its affiliates or subsidiaries, and with state, federal, and 286 international law enforcement authorities; provided, that the recipient agrees in writing to 287 maintain the confidentiality and privileged status of the document, material, or other information; 288 (2) Receive documents, materials, or information, including otherwise 289 confidential and privileged documents, materials, or information, from the NAIC, its affiliates or 290 subsidiaries, and from regulatory and law enforcement officials of other foreign or domestic 291 jurisdictions, and shall maintain as confidential or privileged any document, material, or 292 information received with notice or the understanding that it is confidential or privileged under 293 the laws of the jurisdiction that is the source of the document, material, or information; 294 (3) Share documents, materials, or other information subject to subsection (a) of 295 this section, with a third-party consultant or vendor; provided, that the consultant agrees in 296 writing to maintain the confidentiality and the privileged status of the document, material, or 297 other information; and 298 (4) Enter into an agreement governing sharing and use of information consistent 299 with this subsection. 300
14
(c) No waiver of any applicable privilege or claim of confidentiality in the documents, 301 materials, or information shall occur as a result of disclosure to the Commissioner under this 302 section or as a result of sharing as authorized in subsection (c) of this section. 303 (e) Nothing in this title shall be construed to prohibit the Commissioner from sharing 304 final orders of adjudicated actions otherwise open to public inspection pursuant to the Freedom 305 of Information Act of 1976, effective March 25, 1977 (D.C. Law 1-96; D.C. Official Code § 2-306 531 et seq.), to a database or other clearinghouse service maintained by the NAIC, its affiliates, 307 or subsidiaries. 308 Sec. 107. Exemptions. 309 (a) The following licensees shall be exempt from the requirements of section 103: 310 (1) A licensee with fewer than 10 employees, including any independent 311 contractors; 312 (2) A licensee subject to the Health Insurance Portability and Accountability Act 313 of 1996, approved August 21, 1996 (110 Stat. 1936; 42 U.S.C. § 1320d et seq.) (“HIPAA”), that 314 has established and maintains an information security program pursuant to HIPAA and the rules, 315 regulations, procedures, or guidelines established thereunder; provided, that the licensee submits 316 a written statement to the Commissioner certifying its compliance with HIPAA; 317 (3) A licensee having less than $5 million in annual written premiums in each of 318 the last 3 calendar years from its District of Columbia business operations; 319 (4) A licensee having less than $10 million in year-end admitted assets, calculated 320 in accordance with the NAIC’s statutory accounting principles, including admitted assets of all 321 affiliates; and 322
15
(5) An employee, agent, representative, or designee of a licensee, who is also a 323 licensee, to the extent that the employee, agent, representative, or designee is covered by the 324 information security program of the other licensee. 325 (b) A licensee claiming an exemption under subsection (a) of this section shall file a 326 request for an exemption in accordance with the rules prescribed by the Commissioner. 327 (c) In the event that a licensee ceases to qualify for an exception, the licensee shall have 328 180 days to comply with the requirements of this title. 329 330 Sec. 108. Rulemaking. 331 The Commissioner, pursuant to Title I of the District of Columbia Administrative 332 Procedure Act, approved October 21, 1968 (82 Stat. 1204; D.C. Official Code § 2-501 et seq.), 333 shall promulgate rules necessary to implement the provisions of this title, including establishing: 334 (1) Standards and practices that shall be incorporated in a licensee’s information 335 security program, including risk assessments, the role of the licensee’s board of directors, 336 oversight of third-party service providers, and the requirement for written incident response 337 plans; and 338 (2) Guidance addressing the form and contents of the information that shall be 339 included in any initial, updated, or supplemental notification to the Commissioner concerning a 340 cybersecurity event; provided, that a licensee shall provide the Commissioner with a copy of the 341 notification of security breach sent to consumers as required by D.C. Official Code § 28-3852. 342 Sec. 109. No private right of action. 343 Nothing in this title shall be construed to create or imply a private cause of action or 344 curtail an existing private cause of action under another law. 345
16
TITLE II. CONFORMING AMENDMENT; FISCAL IMPACT; EFFECTIVE 346 DATE. 347 Sec. 201. Section 204(a) of the Freedom of Information Act of 1976, effective March 31, 348 1977 (D.C. Law 1-96; D.C. Official Code § 2-534(a)), is amended as follows: 349 (a) Paragraph (23) is amended by striking the phrase “; and” and inserting a semicolon in 350 its place. 351 (b) Paragraph (24) is amended by striking the period and inserting the phrase “; and” in 352 its place. 353 (c) A new paragraph (25) is added to read as follows: 354 “(25) Information exempt from disclosure under the Cybersecurity and 355 Accountability Act of 2026, as approved by the Committee on Health on July 8, 2026 356 (Committee print of Bill 26-427).”. 357 Sec. 202. Fiscal Impact Statement. 358 The Council adopts the fiscal impact statement in the committee report as the fiscal 359 impact statement required by section 4a of the General Legislative Procedures Act of 1975, 360 approved October 16, 2006 (120 Stat. 2038; D.C. Official Code § 1-301.47a). 361 Sec. 203. Effective Date. 362 This act shall take effect following approval by the Mayor (or in the event of veto by the 363 Mayor, action by the Council to override the veto) and a 30-day period of congressional review 364 as provided in section 602(c)(1) of the District of Columbia Home Rule Act, approved December 365 24, 1973 (87 Stat. 813; D.C. Code § 1-206.02(c)(1)). 366