On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:

  1. Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:
    • both computerized and hard copy data that contain personal information that is not “secured;” and
    • encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption.
  2. H.B. 1078 adds federal preemption language for entities covered under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) – such entities are deemed compliant with the new law if they complied with §13402 of the federal Health Information Technology for Economic and Clinical Health Act. Some financial institutions under the authority of federal regulators under the Gramm-Leach Bliley Act are also deemed in compliance with the new law if they notify in compliance with applicable federal guidelines. In each case, they still have requirements to notify the state Attorney General.
  3. H.B. 1078 adds content requirements for notification to provide consumers with basic information to help secure or recover their identities:
    • the name and contact information for the reporting entity;
    • the types of personal information that were subject to the breach; and
    • toll-free telephone numbers and addresses for the major credit reporting agencies.
  4. The new law requires consumer notification in the most expedient time possible and without unreasonable delay, and no more than 45 days after the breach was discovered (however, notice is not required if the security breach is not reasonably likely to subject consumers to a risk of harm). If more than 500 Washington residents must be notified under the law, H.B. 1078 requires that notice also be provided to the attorney general by the time notice is provided to consumers, including a copy of the notice sent to consumers (eliminating any personal information) as well as an estimated number of Washington residents affected by the breach.
  5. In addition to the private right of action which existed under the law prior to the amendment, under H.B. 1078, the attorney general is given the right to enforce the law.

The changes to Washington State’s existing breach notification laws are meant to clarify any ambiguity regarding the scope of the law and how and when it applies to encrypted data that has been compromised. Large data breaches on the front pages of newspapers have led to increased scrutiny of existing laws and procedures, including bipartisan legislation currently making its way through Congress.