Privacy

Washington Strengthens Breach Notification Law

Published: May. 09, 2019

Updated: Oct. 05, 2020

On May 7, 2019, Governor Jay Inslee signed a bill (HB 1071) that strengthens the state’s existing data breach notification law by expanding the definition of “personal information” and reducing the time an entity has to disclose a breach to consumers and the Attorney General from 45 to 30 days. These proposed amendments are consistent with our previous observations that states will continue to enhance their data breach notification laws to provide more robust protections in light of recent high-profile data breaches and growing public concern about data privacy. The amendments will take effect March 1, 2020.

Expanded Definition of Personal Information

The bill adds the following data elements, when combined with a consumer’s name, to the definition of personal information:

  • full date of birth (making Washington just the second state to include this data element in the definition of personal information, along with North Dakota); 
  • electronic signature; 
  • student, military, or passport identification number; 
  • health insurance policy or identification number; 
  • medical history information; or 
  • biometric data. 

The bill would also modify the statute such that any of the data elements above (even without the consumer’s name)—as well as Social Security numbers, driver’s license numbers or Washington identification card numbers, and account numbers, credit or debit card numbers, or any required security code, access code, or password to access an account—are considered to be personal information if the data elements are not encrypted, redacted, or rendered unusable and the data element(s) would enable a person to commit identity theft against a consumer. 

Additionally, under the new definition, personal information would include a user name or email address in combination with a password or security questions and answers that would permit access to an online account. If the data breach includes a user name or password, notice to affected individuals must inform them to promptly change their password and security question or answer, as applicable.  

Notice of a Breach

The bill shortens the breach notification deadline for affected consumers and the Attorney General from 45 calendar days to 30 calendar days, subject to law enforcement-related exceptions. The bill also adds to the content requirements for notices to the Attorney General. Notices must now include the time frame of exposure, including the date of the breach and the date of the discovery of the breach and a summary of steps taken to contain the breach.