This week the Washington State Legislature passed a set of amendments to Washington’s data breach notification statutes for businesses and government agencies. The existing law requires businesses to notify impacted Washington residents when the business has a data security incident compromising certain categories of personal data. Once the bill is signed into law, and there is no indication it will not be, the amendments take effect March 1, 2020.
For businesses, here are some of the key updates:
1. Timing for notice to both consumers and the Attorney General shortened. Washington will join the 30-day notice club, moving its data breach notice timeline from 45 days to within 30 days of discovery of the breach. As with the current statute, any time a business notifies 500 or more Washington residents, the business also has to notify the Washington Attorney General, also within 30 days of discovery. An existing exception for law enforcement delays remains.
2. Expanded definition of personal information that triggers notification. The amendments expand the types of personal information that, if breached, trigger an obligation to notify consumers. Notable additions are date of birth combined with name, and a catch-all for combinations that would likely lead to identity theft. Here is how the current and new triggers stack up:
4. Notice Content. The amendments dictate, with more detail than the current law, the type of information that must be included in any breach notification. Once the new law takes effect, consumer notifications will need to contain the length of time of exposure, and the notice to the Attorney General will need to include types of personal information involved, length of time of exposure, and containment steps. However, these new requirements are not unusual in light of requirements in some other states and typical practice.3. Additional notice requirements around login credentials. When login credentials are breached, businesses can notify the consumers by email or other electronic methods. The notice must prompt users to change their passwords or take other appropriate steps to protect their accounts. Also, the electronic notice cannot be made on the platform for which login credentials were compromised. Businesses must notify through some other means outside of those accounts.
Overall, these amendments will greatly expand the number of incidents that require notice. In particular, the addition of date of birth and the catch-all for combinations that enable identity theft are a large expansion. One good data minimization practice is to truncate consumers’ full date of birth to only birth year, or year and month. Notably, Washington’s current data breach law is widely considered to cover paper records as well as electronic. Businesses should assess their hygiene around paper records as well as their data security and incident response posture.
The amendments also increase the amount of factual and legal analysis required in deciding when to notify consumers. Personal information that has already lawfully been made available from government records is exempted from the notice trigger, and it is unclear how that will play out with these new categories of personal information. It is debatable whether login credentials for accounts that require multi-factor authentication fit the trigger. Perhaps the hardest, businesses will need to evaluate whether other combinations of compromised personal information could lead to identity theft and trigger notice.
What about the other Washington privacy law?
For clarity, the bill that passed is not the Washington Privacy Act. That legislative proposal, a comprehensive privacy law modeled partly on the European Union’s General Data Protection Regulation, would have created new rights and obligations around the acquisition and use of personal data. The Washington Privacy Act did not move out of Committee and appears to be dead, although we shall see in the coming days if any procedural maneuvers are able to resurrect that bill this session.