Washington Personal Information Notice of Security Breaches
WA Rev Code § 19.255.005, et seq.
SUMMARY:
EFFECTIVE. July 24, 2005
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Washington and owns or licenses computerized data that includes Personal Information; and (2) any person or entity that maintains computerized data which includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person or business. Good faith acquisition of Personal Information by an employee or agent for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element or name is not encrypted:
-
Social Security Number.
-
Full date of birth.
-
Driver’s license number, state identification card number, student number, military identification number, or passport identification number.
-
Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Health insurance policy number or health insurance identification number.
-
Information about the individual’s medical history, mental or physical condition, or medical diagnosis or treatment, biometric data including fingerprints, voiceprints, eye retina, and iris scans, or other unique characteristics that are used to identify a specific individual.
-
Private key that is unique to the individual and is used to authenticate or sign an electronic record.
-
Username or email address in combination with a password or security questions and answers that would permit access to an online account.
-
Any of the data elements or any combination of the data elements without the consumer’s first name or first initial and last name if encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable and the data element or combination of data elements would enable a person to commit identity theft against a consumer.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected. If the notification is being sent to more than 500 Washington residents, the entity must submit a single sample copy of the security breach notification, excluding any personally identifiable information, to the Attorney General.
EXCEPTION. This Section does not apply to the following:
-
Does not apply to personal information that is encrypted or is otherwise modified so that it is rendered unreadable, unusable, or undecipherable.
-
No notification is required if the person or business determines that a security breach is not reasonably likely to subject consumers to risk of harm.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person or business in accordance with its policies.
-
Any financial institution under authority of the office of comptroller of the currency, the FDIC, NCUA or the Federal Reserve system is deemed to have complied according to the interagency guidelines establishing information security standards of 12 C.F.R. Part 30, 12 C.F.R. Part 208, 12 C.F.R. Part 225, 12 C.F.R. Part 364 and 12 C.F.R. Part 748, if the financial institution provides notice to affected consumers in accordance with the interagency guidance on response programs for unauthorized access to consumer information and customer notice. The entity shall comply with the attorney general requirements in addition to providing notice to its primary Federal regulator.
-
HIPAA Covered Entity exception. Entities covered under the Federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) will be deemed in compliance if it has fully complied with Section 13402(f) of the Federal Health Information Technology for Economic and Clinical Health Act (“HITECH”). Covered entities must notify the attorney general in compliance with the timeliness of the HITECH act, notwithstanding the timing of notification herein.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business in the most expedient time possible without unreasonable delay, but within 30 days after the breach is discovered, consistent with the needs of law enforcement or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
If a breach involved a username and password, notice can be sent electronically or by email. The notice must meet the content requirements of the statute and inform the recipient to promptly change their password and take other steps to protect their information. If the breach involves login credentials of an email account furnished by the subject entity, the entity cannot provide notice by email to that account.
-
Substitute notice as provided below.
The notice shall be clear and conspicuous and shall include at a minimum:
-
Name and contact information of the reporting person or business.
-
Date or approximate date of the breach.
-
Types of Personal Identifying information that were or are reasonably believed to be subject to the breach.
-
Toll-free telephone numbers and addresses of the major credit reporting agencies, if personal information was exposed in the breach.
The notice to the Attorney General must include, with a single sample copy of the security breach notification, excluding any personally identifiable information:
-
The number of Washington consumers affected, or an estimate if the exact number is not known.
-
List of the types of personal information that were or are reasonably believed to have been impacted.
-
Time frame of exposure, if known, including the date of the breach and the date of the discovery.
-
A summary of steps taken to contain the breach.
-
The notice to the Attorney General must be updated if any of the information is unknown at the time notice is due.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains computerized data that includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of a security breach immediately upon discovery. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any consumer that is injured by a violation to this Section may file a civil lawsuit to recover damages. The Attorney General may bring action on behalf of the State or residents. Violation is unfair or deceptive act and unfair method of competition.
-
Reimbursement Provision. If a breach occurred where an entity held unencrypted account information or was not PCI DSS compliant, the payment processors, businesses and vendors can be liable to a financial institution for the cost of reissuing credit and debit cards in the event of a breach of the disclosure of the full unencrypted account information, account number on a credit or debit card plus the cardholder’s name, expiration date or service code.
PRIVATE RIGHT OF ACTION. Yes. Any resident injured by a violation may file a civil action to recover damages.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Wash. Rev. Code § 19.215.020. An entity must take all reasonable steps to destroy, or arrange for the destruction of, personal financial and health information and personal identification numbers issued by government entities in an individual's records within its custody or control when the entity is disposing of records that it will no longer retain.
LEGISLATIVE UPDATES.
S.B. 6043 – Signed into law on 5/10/2005, Effective 7/24/2005.
H.B. 1149 – Signed into law on 3/22/2010, Effective 7/1/2010.
H.B. 1078 – Signed into law on 4/23/15, Effective 7/24/2015.
HB 1071 – signed into law 5/7/2019, Effective 3/1/2020.
For more information, see here: https://app.leg.wa.gov/RCW/default.aspx?cite=19.255
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.