- What are the Washington State Data Breach Notification laws?
- What is HB 1071?
- What changes does HB 1071 make to the definition of “personal information?”
- What changes does HB 1071 make to the notification that is sent to Washington residents?
- What changes does HB 1071 make to the notification sent to the Attorney General’s Office?
- When are notices to affected residents and the Attorney General’s Office due?
- When do the changes in HB 1071 go into effect?
- What can my business or agency do to prepare for these changes?
- RCW 19.255 applies to individuals and businesses.
- RCW 42.56.590 applies to local and state agencies.
These laws require individuals, businesses, and public agencies to notify Washington residents in the event that:
- Their personal information is (or is believed to have been) acquired by an unauthorized individual; and
- The resident’s personal information was not secured (i.e. encrypted); and
- The breach of the security of the system is reasonably likely to subject consumers to a risk of harm.
This notice protects consumers by providing them with the facts needed to monitor and protect their personal information – such as the date of the breach, and the data that was accessed.
For more information on the specific provisions of these laws, you can visit our website here:
Identity Theft and Privacy Guide for Businesses
You can also find information about Washington’s data breach and data security laws, and how they compare to other states, in our office’s most recent annual Data Breach Report, which you can find here:
Data Breach Notifications
You can find additional information on HB 1071’s path through the Legislature on the official Washington State Legislature website, here:
HB 1071 (2019-20)
HB 1071’s revisions to the laws go into effect on March 1, 2020.
- Social Security number; or
- Driver’s license number or Washington identification card number; or
- Account number or credit or debit card number, in combination with any required security code, or password that would permit access to their account.
HB 1071 expands the definition of “personal information” to include:
- First name or initial and last name in combination with one or more of the following:
- Social Security number;
- Driver’s license number or Washington identification card number;
- Account number or credit or debit card number, in combination with any required security code, or password that would permit access to their account
- Full date of birth;
- Private keys for electronic signature;
- Student, military, or passport identification numbers;
- Health insurance policy or identification numbers;
- Medical information, including medical history, mental or physical condition, diagnoses, or treatment; and
- Biometric data.
- Any of the above elements, not in combination with first name or initial and last name, if the affected data was not rendered unusable via encryption or redaction and would enable a person to commit identity theft against the consumer.
- Username and email address in combination with a password or security questions and answers that would permit access to an online account.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- If known, a time frame of exposure, including the date of the breach and the date of the breach’s discovery;
- If the breach involves a resident’s username and password, the notice must inform the resident that they should promptly change their password and security question or answer, and/or take other appropriate steps to protect their online account(s), including those not associated with the breached entity, that use the same email address, password, or security question or answer.
- If the breach involves a resident’s login credentials for an email account, the breached entity may not provide the breach notification to the resident via that email address.
HB 1071 expands the information required in these notices. Effective March 1, 2020, all notices to our office must include:
- A list of the types of personal information that were or are reasonably believed to have been breached;
- If known, the time frame of exposure, including the date of the breach and the date of the discovery of the breach;
- A summary of steps taken to contain the breach; and
- A copy of the breach notification sent to affected residents.
HB 1071 also requires that breached entities provide updates to the Attorney General’s Office for any of the above information that was unknown at the time notice was due.
If an update to a previously submitted notice is necessary, please send the update via email to SecurityBreach@atg.wa.gov and include the date of submission of the original notice you provided to our office.
State agencies may delay notification to residents up to an additional 14 days to allow the notice to be translated into the primary language of the affected resident.
Businesses and individuals may not delay notice, unless:
- Law enforcement is contacted after discovery of the breach, and the law enforcement agency determines that notification will impede a criminal investigation; or
- The delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Data security breach notifications sent to the Attorney General’s Office are available for review online, here:
Data Breach Notifications
- Identify if you hold data as defined by “personal information,” and where it is stored;
- Assess whether you truly need to collect and store the “personal information” that is being held.
- Develop policies for the collection, encryption, and use of “personal information.”
- Properly dispose of any held “personal information” that is no longer of need to your business or agency;
- Consider reviewing RCW 19.215, “Disposal of Personal Information” for more details.
- Talk to your colleagues about the changes to the law;
- Ensure your business or agency has an action plan in the event of a data breach.
- This could including developing a dedicated Incident Response Team, or implementing automated security technologies to detect attempted breaches.