Recent Changes to Washington Data Breach Notification Law and Other Trends

May 2019

Washington Governor Jay Inslee signed HB 1071 into law on May 7, 2019. This bill amends and expands Washington’s data breach notification law and takes effect March 1, 2020. Washington’s revision of its data breach notification law follows other governments that have also recently enacted or implemented data privacy laws or have changed their existing data privacy laws. We discuss some of the trends we see with regard to these laws and/or amendments below.

HB 1071 Broadens Definition of Personal Information

Prior to HB 1071, Washington's data breach notification law defined personal information as the combination of an individual’s first initial or first name, last name, and one or more of the following: (i) Social Security number, (ii) driver’s license number or Washington ID card number, or (iii) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The new law augments these numbered items to include the following:

  • Full date of birth;
  • Private key unique to an individual and that is used to authenticate or sign an electronic record;
  • Student, military, or passport ID number;
  • Health insurance policy number or health insurance ID number;
  • Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; and
  • Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.

In addition, the new law would consider these data elements personal information even if unaccompanied by an individual’s first initial / first name and last name, if encryption, redaction, or other methods have not rendered the element(s) unusable and if the element(s) would enable a person to commit identity theft against a consumer. Regardless of whether an individual’s name is included, the new law extends personal information to also include usernames or email addresses in combination with a password or security questions and answers that would permit access to an online account.

Timing and Content of Data Breach Notices

Prior to HB 1071, Washington’s data breach notification law required notification to be made in the most expedient time possible and without unreasonable delay, but no more than 45 calendar days following discovery of the breach. The new law reduces that period to 30 calendar days, both for notice to affected individuals and for informing the Washington Attorney General. Washington joins Colorado and Florida in having this 30-day notification period, the shortest among all the states.

In addition, the new law requires notices to individuals to include, if known, the date of the breach and the date of the discovery of the breach. If a breach involves a username or password, notice may be sent by email and must inform the person to promptly change his or her password and security question or answer. Understandably, if the breach involves email login credentials, notice must be given by a means that does not involve email.

The new law requires that the notice to the Attorney General contain additional disclosures, some of which are included in the notice to individuals. Notice to the Attorney General is required only if more than 500 Washington residents are affected by the breach.

Data Breach Notification Laws of Other Governments

This past year saw many developments in data privacy laws, with the European Union's (EU's) General Data Protection Regulation (GDPR) coming into effect in May 2018 and California's enacting the California Consumer Privacy Act (CCPA) in September 2018. Many data breach notification laws saw changes as well. Eight states expanded their definition of personal information. For example, Connecticut’s data breach notification law was amended so that credit and debit card numbers disclosed with an individual’s name trigger breach notification even if no access or security code was compromised.

Additionally, when more sensitive information is disclosed, states are beginning to require businesses to provide identity theft protection mechanisms. Massachusetts, whose amendment to its data breach notification law took effect in early April, recently joined Connecticut, California, and Delaware in requiring credit monitoring when social security numbers are disclosed.

Even the State of Washington is considering further measures. In its most recent session, the Washington legislature introduced the Washington Privacy Act, a bill similar to California's CCPA and the EU's GDPR. Although the Washington Privacy Act passed overwhelmingly in the Senate, it did not come to a vote in the House of Representatives. Washington legislators expect to pick up the legislation in 2020.

As breach notification statutes become more specific, it will be crucial for businesses to maintain processes to respond to breaches efficiently. If you would like assistance with complying with the new Washington law or any other data breach notification or privacy law, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
News

Matthew J. Haas Offers Commentary for Inside P&C Article on Business Interruption Insurance and COVID-19

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
News

Lewis Rice Wins Nearly $500,000 in Compensation for Sarasota Landowners

More
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More