• PRO
  • Events
  • About Blog Store Popular
  • Login
  • Register
  • PRO
  • Resources
    • Latest updates
    • Q&A
    • In-depth
    • In-house view
    • Practical resources
  • Resources
  • Research
    • Legal research hub
    • Primary Sources
    • Research reports
    • Explore all
  • Research
  • Learn
    • All
    • Webinars
    • Videos
  • Learn
  • Experts
    • Find experts
    • Influencers
    • Firms
    • About
    Introducing Instruct Counsel
    The next generation search tool for finding the right lawyer for you.
  • Experts
  • My newsfeed
  • Events
  • About
  • Blog
  • Store
  • Popular
  • Legal research hub
  • Primary Sources
  • Research reports
  • Explore all
  • Find experts
  • Influencers
  • Firms
  • About
Introducing Instruct Counsel
The next generation search tool for finding the right lawyer for you.
  • Compare
  • Topics
  • Interviews
  • Guides

ANALYTICS

Review your content's performance and reach.

  • Analytics dashboard
  • Top articles
  • Top authors
  • Who's reading?

Content Development

Become your target audience’s go-to resource for today’s hottest topics.

  • Trending Topics
  • Discover Content
  • Horizons
  • Ideation

Client Intelligence

Understand your clients’ strategies and the most pressing issues they are facing.

  • Track Sectors
  • Track Clients
  • Mandates
  • Discover Companies
  • Reports Centre

Competitor Intelligence

Keep a step ahead of your key competitors and benchmark against them.

  • Benchmarking
  • Competitor Mandates
Home
Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Register now for your free, tailored, daily legal newsfeed service.

Questions? Please contact [email protected]

Register

Washington Amends Data Breach Notice Law With Shorter Notice Deadline and Expanded Triggers

Lane Powell PC

To view this article you need a PDF viewer such as Adobe Reader. Download Adobe Acrobat Reader

If you can't read this PDF, you can view its text here. Go back to the PDF .

USA April 25 2019

This week the Washington State Legislature passed a set of amendments to Washington’s data breach notification statutes for businesses and government agencies. The existing law requires businesses to notify impacted Washington residents when the business has a data security incident compromising certain categories of personal data. Once the bill is signed into law, and there is no indication it will not be, the amendments take effect March 1, 2020.

For businesses, here are some of the key updates:

1. Timing for notice to both consumers and the Attorney General shortened. Washington will join the 30-day notice club, moving its data breach notice timeline from 45 days to within 30 days of discovery of the breach. As with the current statute, any time a business notifies 500 or more Washington residents, the business also has to notify the Washington Attorney General, also within 30 days of discovery. An existing exception for law enforcement delays remains.

2. Expanded definition of personal information that triggers notification. The amendments expand the types of personal information that, if breached, trigger an obligation to notify consumers. Notable additions are date of birth combined with name, and a catch-all for combinations that would likely lead to identity theft. Here is how the current and new triggers stack up:

4. Notice Content. The amendments dictate, with more detail than the current law, the type of information that must be included in any breach notification. Once the new law takes effect, consumer notifications will need to contain the length of time of exposure, and the notice to the Attorney General will need to include types of personal information involved, length of time of exposure, and containment steps. However, these new requirements are not unusual in light of requirements in some other states and typical practice.3. Additional notice requirements around login credentials. When login credentials are breached, businesses can notify the consumers by email or other electronic methods. The notice must prompt users to change their passwords or take other appropriate steps to protect their accounts. Also, the electronic notice cannot be made on the platform for which login credentials were compromised. Businesses must notify through some other means outside of those accounts.

Practical Impact

Overall, these amendments will greatly expand the number of incidents that require notice. In particular, the addition of date of birth and the catch-all for combinations that enable identity theft are a large expansion. One good data minimization practice is to truncate consumers’ full date of birth to only birth year, or year and month. Notably, Washington’s current data breach law is widely considered to cover paper records as well as electronic. Businesses should assess their hygiene around paper records as well as their data security and incident response posture.

The amendments also increase the amount of factual and legal analysis required in deciding when to notify consumers. Personal information that has already lawfully been made available from government records is exempted from the notice trigger, and it is unclear how that will play out with these new categories of personal information. It is debatable whether login credentials for accounts that require multi-factor authentication fit the trigger. Perhaps the hardest, businesses will need to evaluate whether other combinations of compromised personal information could lead to identity theft and trigger notice.

What about the other Washington privacy law?

For clarity, the bill that passed is not the Washington Privacy Act. That legislative proposal, a comprehensive privacy law modeled partly on the European Union’s General Data Protection Regulation, would have created new rights and obligations around the acquisition and use of personal data. The Washington Privacy Act did not move out of Committee and appears to be dead, although we shall see in the coming days if any procedural maneuvers are able to resurrect that bill this session.

Lane Powell PC - Peter C. Fisk
Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Filed under

  • USA
  • IT & Data Protection
  • Lane Powell PC

Tagged with

  • Washington
  • GDPR

Popular articles from this firm

  1. Money Laundering Through the Black Market Peso Exchange *
  2. 5 reasons why you should patent your invention *
  3. Restaurant Revitalization Fund: Newest Addition to the List of SBA Stimulus Programs *
  4. Washington State Payroll Tax Funds Long Term Care Trust Fund — Except for Those Who Choose a Better Way *
  5. Washington State Payroll Tax Funds Long Term Care Trust Fund — Except for Those Who Choose a Better Way *

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].

Powered by Lexology
loading...

Related research hubs

  • GDPR
  • USA
  • IT & Data Protection
Brenda P Fuller
Assistant General Counsel
Sodexo, Inc
What our clients say

“I find the newsfeeds to be extremely helpful and relevant to my practice area and to the issues facing my company. As I am extremely happy with the newsfeed (it is one of the best I receive) I have no suggestions at this time for improvement.”

Back to Top
Resources
  • Daily newsfeed
  • Q&A
  • Research hubs
  • Learn
  • In-depth
Experts
  • Find experts
  • Legal Influencers
  • Firms
  • About Instruct Counsel
More
  • About us
  • Blog
  • Events
  • Store
  • Popular
Legal
  • Terms of use
  • Cookies
  • Disclaimer
  • Privacy policy
  • GDPR compliance
Contact
  • Contact
  • RSS feeds
  • Submissions
 
  • Login
  • Register
  • Follow on Twitter
  • Follow on LinkedIn

© Copyright 2006 - 2021 Law Business Research

Law Business Research