Washington State Data Breach Notification Statute Updates Go Into Effect, Imposing New Requirements on Businesses
Effective March 1, 2020, amendments to the Washington State data breach notification statute made the law significantly more onerous for companies dealing with data security incidents. The amendments, which we first covered in May 2019, expanded the definition of personal information, shortened the deadlines for notification, and imposed additional requirements for notice contents. As a result, more data security incidents may result in notification obligations, and businesses will have less time to comply. As the frequency and severity of data security incidents continues to increase, it is crucial that businesses – and their counsel – be aware of these new, more stringent rules.
Prior to the amendments, Washington law required notice to consumers only when a security incident involved unauthorized access to a relatively narrow range of the consumer’s “personal information:” a name in combination with either a Social Security number, a driver’s license or Washington identification number, or financial account information with means to access the account. The recent amendments expanded the definition of notice-triggering personal information to include a name (first name or first initial and last name) in combination with any of the following unencrypted data sets:
- A student ID, military ID, or passport number;
- Any numbers or information that can be used to access a consumer’s financial account;
- A date of birth;
- A unique private key used to authenticate or sign an electronic record;
- A health insurance policy number or identification number;
- Medical information, including medical history, mental or physical condition, or medical diagnosis or treatment; or
- Biometric data including fingerprints, voiceprints, eye retina and iris scans, or other unique characteristics that are used to identify a specific individual.
Notification could be required even if a consumer’s name is not among the compromised data. For example, notification would be required if any of the compromised data elements listed above would enable a person to commit identity theft against a consumer. It also would be required if the incident involved simply credentials that would permit access to an online account (e.g., username/email address in combination with a password or security question and answer).
Moreover, the deadlines for both consumer and regulatory notice have been shortened. The prior iteration of the statute required entities to notify affected consumers and the Washington State Attorney General (if more than 500 state residents are notified) no more than 45 days after discovering a breach. The amendments shorten both notice periods to 30 days.
The amendments reflect a growing trend among the states. With increasing public concern about privacy and data security, lawmakers will likely continue to increase the scope and stringency of data breach notification laws nationwide.