Washington has two data breach notification laws:
- RCW 19.255 applies to individuals and businesses; and
- RCW 42.56.590 applies to local and state agencies.
The two laws, originally enacted in 2015, require individuals, businesses, and public agencies to notify Washington residents in the event that:
- Their personal information is (or is believed to have been) acquired by an unauthorized individual; and
- The resident’s personal information was not secured (i.e. encrypted); and
- The breach of the security of the system is reasonably likely to subject consumers to a risk of harm.
This notice protects consumers by providing information needed to monitor and protect their personal information – such as the date of the breach and the data that was accessed.
When are Data Breach Notices Due?
In general, notification must be made "in the most expedient time possible" and within 30 days after the breach was discovered. State agencies may delay notification to residents up to an additional 14 days to allow the notice to be translated into the primary language of the affected resident.
Businesses and individuals may not delay notice, unless:
- Law enforcement is contacted after discovery of the breach, and the law enforcement agency determines that notification will impede a criminal investigation; or
- The delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
If a data breach affects more than 500 Washington residents, notification must also be provided to the Attorney General's Office, which can be done electronically via our Data Breach Notification Web Form. This notice is also due within 30 days of discovery of the breach.
What information is required in the notice to residents?
Notice to Washington residents must be written in plain language and must include:
- The name and contact information of the reporting person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; and
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
If the breach involves an individual’s username and password, the notice must inform the resident that they should promptly change their password and security question or answer, and/or take other appropriate steps to protect their online account(s), including those not associated with the breached entity, that use the same email address, password, or security question or answer.
If the breach involves a resident’s login credentials for an email account, the breached entity may not provide the breach notification to the resident via that email address.
What information is required in the notice to the Attorney General’s Office?
Notice to the Attorney General’s Office must include:
- The number of Washington consumers affected by the breach, or an estimate if the exact number is not known;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
- A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach;
- A summary of steps taken to contain the breach; and
- A single sample copy of the security breach notification sent to residents, excluding any personally identifiable information.
Breached entities must also provide updates to the Attorney General’s Office for any of the above information that was unknown at the time notice was due.
If an update to a previously submitted notice is necessary, please send the update via email to SecurityBreach@atg.wa.gov and include the date of submission of the original notice you provided to our office.
2019 Updates to the Notification Law - House Bill 1071
During the 2019 legislative session the Attorney General proposed request-legislation to strengthen Washington’s data breach notification laws. House Bill (HB) 1071 passed unanimously out of both chambers of the Legislature, and was signed into law on May 7, 2019.
You can find additional information here: HB 1071 (2019-20).
HB 1071 reduced the deadline to notify consumers and the AGO from 45 to 30 days, and also expanded the definition of “personal information” that triggers the requirement for notice, among other changes.
These stronger requirements went into effect on March 1, 2020.
Definition of Personal Information
Our state’s notification law defines “personal information”
- A Washingtonians’ first name or initial and last name in combination with one or more of the following:
- Social Security number;
- Driver’s license number or Washington identification card number;
- Account number or credit or debit card number, in combination with any required security code, or password that would permit access to their account;
- Full date of birth;
- Private keys for electronic signature;
- Student, military, or passport identification numbers;
- Health insurance policy or identification numbers;
- Medical information, including medical history, mental or physical condition, diagnoses, or treatment; and
- Biometric data.
- Any of the above elements, not in combination with first name or initial and last name, if the affected data was not rendered unusable via encryption or redaction and would enable a person to commit identity theft against the consumer.
- Username and email address in combination with a password or security questions and answers that would permit access to an online account.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
How does Washington’s notification law compare to other states?
All 50 states have laws requiring private or governmental entities to notify individuals when a data breach occurs. In all 50 states, notification of individuals is not required if the information compromised was encrypted, redacted or otherwise unreadable.
As of 2023:
- Washington has the most expansive definition of “personal information” in the country (see: “Definition of Personal Information” above).
- Washington and three other states – Florida, Colorado and Maine – require breached organizations to notify consumers within 30 days of discovering a breach. This is the shortest and most protective deadline in the country.
- Washington is one of 19 states that requires a hard deadline for reporting breaches to consumers.
- 22 states (including Washington) require notification when an encryption key or security credential is included in the breach along with the encrypted or secured information.
- 36 states (including Washington) require breached entities to notify the Attorney General or another state agency of a breach, under certain conditions.