Washington Governor Jay Inslee signed HB 1071 into law on May 7, 2019. This bill amends and expands Washington’s data breach notification law and takes effect March 1, 2020. Washington’s revision of its data breach notification law follows other governments that have also recently enacted or implemented data privacy laws or have changed their existing data privacy laws. We discuss some of the trends we see with regard to these laws and/or amendments below.

HB 1071 Broadens Definition of Personal Information

Prior to HB 1071, Washington's data breach notification law defined personal information as the combination of an individual’s first initial or first name, last name, and one or more of the following: (i) Social Security number, (ii) driver’s license number or Washington ID card number, or (iii) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The new law augments these numbered items to include the following:

  • Full date of birth;
  • Private key unique to an individual and that is used to authenticate or sign an electronic record;
  • Student, military, or passport ID number;
  • Health insurance policy number or health insurance ID number;
  • Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; and
  • Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.

In addition, the new law would consider these data elements personal information even if unaccompanied by an individual’s first initial / first name and last name, if encryption, redaction, or other methods have not rendered the element(s) unusable and if the element(s) would enable a person to commit identity theft against a consumer. Regardless of whether an individual’s name is included, the new law extends personal information to also include usernames or email addresses in combination with a password or security questions and answers that would permit access to an online account.

Timing and Content of Data Breach Notices

Prior to HB 1071, Washington’s data breach notification law required notification to be made in the most expedient time possible and without unreasonable delay, but no more than 45 calendar days following discovery of the breach. The new law reduces that period to 30 calendar days, both for notice to affected individuals and for informing the Washington Attorney General. Washington joins Colorado and Florida in having this 30-day notification period, the shortest among all the states.

In addition, the new law requires notices to individuals to include, if known, the date of the breach and the date of the discovery of the breach. If a breach involves a username or password, notice may be sent by email and must inform the person to promptly change his or her password and security question or answer. Understandably, if the breach involves email login credentials, notice must be given by a means that does not involve email.

The new law requires that the notice to the Attorney General contain additional disclosures, some of which are included in the notice to individuals. Notice to the Attorney General is required only if more than 500 Washington residents are affected by the breach.

Data Breach Notification Laws of Other Governments

This past year saw many developments in data privacy laws, with the European Union's (EU's) General Data Protection Regulation (GDPR) coming into effect in May 2018 and California's enacting the California Consumer Privacy Act (CCPA) in September 2018. Many data breach notification laws saw changes as well. Eight states expanded their definition of personal information. For example, Connecticut’s data breach notification law was amended so that credit and debit card numbers disclosed with an individual’s name trigger breach notification even if no access or security code was compromised.

Additionally, when more sensitive information is disclosed, states are beginning to require businesses to provide identity theft protection mechanisms. Massachusetts, whose amendment to its data breach notification law took effect in early April, recently joined Connecticut, California, and Delaware in requiring credit monitoring when social security numbers are disclosed.

Even the State of Washington is considering further measures. In its most recent session, the Washington legislature introduced the Washington Privacy Act, a bill similar to California's CCPA and the EU's GDPR. Although the Washington Privacy Act passed overwhelmingly in the Senate, it did not come to a vote in the House of Representatives. Washington legislators expect to pick up the legislation in 2020.

As breach notification statutes become more specific, it will be crucial for businesses to maintain processes to respond to breaches efficiently.