Washington Strengthens Breach Notification Law

Published On May 9, 2019 | By Michelle Anderson, Armin Tadayon and Jason Wool | Data Security, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On May 7, 2019, Governor Jay Inslee signed a bill (HB 1071) that strengthens the state’s existing data breach notification law by expanding the definition of “personal information” and reducing the time an entity has to disclose a breach to consumers and the Attorney General from 45 to 30 days. These proposed amendments are consistent with our previous observations that states will continue to enhance their data breach notification laws to provide more robust protections in light of recent high-profile data breaches and growing public concern about data privacy. The amendments will take effect March 1, 2020.

Expanded Definition of Personal Information

The bill adds the following data elements, when combined with a consumer’s name, to the definition of personal information:

  • full date of birth (making Washington just the second state to include this data element in the definition of personal information, along with North Dakota); 
  • electronic signature; 
  • student, military, or passport identification number; 
  • health insurance policy or identification number; 
  • medical history information; or 
  • biometric data. 

The bill would also modify the statute such that any of the data elements above (even without the consumer’s name)—as well as Social Security numbers, driver’s license numbers or Washington identification card numbers, and account numbers, credit or debit card numbers, or any required security code, access code, or password to access an account—are considered to be personal information if the data elements are not encrypted, redacted, or rendered unusable and the data element(s) would enable a person to commit identity theft against a consumer. 

Additionally, under the new definition, personal information would include a user name or email address in combination with a password or security questions and answers that would permit access to an online account. If the data breach includes a user name or password, notice to affected individuals must inform them to promptly change their password and security question or answer, as applicable.  

Notice of a Breach

The bill shortens the breach notification deadline for affected consumers and the Attorney General from 45 calendar days to 30 calendar days, subject to law enforcement-related exceptions. The bill also adds to the content requirements for notices to the Attorney General. Notices must now include the time frame of exposure, including the date of the breach and the date of the discovery of the breach and a summary of steps taken to contain the breach.

About The Authors

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Jason Wool’s practice focuses on cybersecurity, including cyber risk management, incident response, and compliance with global data protection laws, regulations, and standards, including the PCI-DSS. He has advised organizations ranging from small businesses to Fortune 500 companies during complex, privileged computer crime investigations; provided ongoing advice on the development of cybersecurity programs and cybersecurity governance structures; conducted tabletop exercises and other data breach simulations; and assisted clients with large scale audits to determine compliance with complex cybersecurity standards.

Leave a Reply

Your email address will not be published. Required fields are marked *