Legislative Alert: Updates to Washington Breach Notification Statute Expected

May 07, 2019 Washington State will soon pass a law that will overhaul its data breach notification requirements, beginning in March 2020. House Bill 1071, which passed both of Washington’s legislative chambers, was presented to Governor Jay Inslee in late April, and the governor is widely expected to sign the bill into law. The bill includes four significant changes to Washington’s existing data breach notification requirements.

By: David E. Artman & David B. Sherman

Washington State will soon pass a law that will overhaul its data breach notification requirements, beginning in March 2020. House Bill 1071, which passed both of Washington’s legislative chambers, was presented to Governor Jay Inslee in late April, and the governor is widely expected to sign the bill into law. The bill includes four significant changes to Washington’s existing data breach notification requirements:

Reduced Time to Provide Notice

The new law reduces the time in which entities must notify affected individuals regarding a data security incident from 45 to 30 days. The entity must also notify the Office of the Attorney General within 30 days if the incident affects more than 500 Washington residents.

Expanded Definition of Personal Information

Under the new law, an entity must notify affected Washington residents when there has been unauthorized access to the individual’s first name or first initial and last name in combination with any of the following elements pertaining to that person:

  • Social Security number;
  • Driver’s license number or Washington identification card number;
  • Financial account, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts or any other numbers or information that can be used to access a person’s financial account;
  • Full date of birth;
  • Private key that is unique to the individual and is used to authenticate or sign an electronic record;
  • Student, military, or passport identification number;
  • Health insurance policy number or health insurance identification number;
  • Information about the individual’s medical history, mental or physical condition, or medical diagnosis or treatment; or
  • Biometric data including fingerprints, voiceprints, eye retina and iris scans, or other unique characteristics that are used to identify a specific individual.

The above list is much broader than under the current law, which limits notice to situations in which there has been access to a name in combination with a Social Security number, driver’s license number or Washington identification number, or a financial account number with means to access the account.

In addition, notice will be required if there has been unauthorized access to any of the data sets listed above, even without access to a name, if the access would allow a person to commit identity theft against the individual. Similarly, the definition of personal information will also include usernames or email addresses in combination with a password or security questions and answers that would permit access to an online account, even if the individual’s name was not accessed.

Content Requirements

The bill includes minor revisions to the content requirements for notification to the affected individuals and the attorney general. Under the new law, notices must include the timeframe of exposure, including the date on which the breach occurred and the date it was discovered. Notice to the attorney general must also specify the type of information involved, steps taken to contain the breach, and a sample copy of the notice letter sent to the affected individuals.

Substitute Notice Provisions

The new law allows an entity to provide substitute notice by email if the incident involved a username or password, as long as the email address is not one that the subject entity provided to the individual. When substitute notice by email is permitted, the notice must recommend that the individual change login credentials for the online account at issue as well as any other online account that uses the same credentials.

Businesses and organizations inside and outside Washington should routinely review their policies and procedures for compliance with revised statutory frameworks. Lewis Brisbois can help develop incident response plans tailored to your organization’s needs to ensure your business is prepared to respond quickly and effectively to a data breach, privacy violation, or other cyber incident.

Click the ‘Subscribe for More Updates’ button at the top to receive alerts when new Digital Insights posts go up.