Key Notes:

  • Washington’s new data breach notification law expands the circumstances in which an organization must disclose certain data incidents.
  • The law redefines “personal information” to include a broad range of data categories, including dates of birth and even certain types of de-identified data.
  • The law will require businesses to notify impacted individuals of a data breach within 30 days.

A relatively new development in state data breach law is the expansion of the circumstances in which organizations must issue data breach notifications, accompanied by an acceleration of the timeframes in which they must do so. Washington state accomplished both when its governor recently signed HB 1071 into law.

Washington’s law will come into force in 2020, and businesses should consider creating, implementing and testing data incident response plans against the heightened standards set forth in HB 1071, as this trend in data breach notification laws will likely continue among other states.

The Washington State Law

In 2005, Washington enacted its data breach notification law, which applies to “[a]ny person or business that conducts business” in Washington and that “owns or licenses data that includes personal information” on Washington residents. The current law also applies to individuals or organizations that maintain (but do not own) personal information, while HB 1071 will extend applicability to organizations that “possess[ ],” but otherwise do not own or license, such data.

At its core, Washington’s law requires certain organizations to notify “any resident” of Washington if his or her personal information was, or is reasonably believed to have been, subject to a data breach. The current law contains exceptions to the notification requirement if the data breach “is not reasonably likely to subject consumers to a risk of harm” or was inadvertently acquired “in good faith.” HB 1071 will not alter either of these existing exceptions. Similarly, HB 1071 does not amend the current law’s exclusion of information that is encrypted in a manner that meets, or exceeds, the standards set forth by the National Institute of Standards and Technology, or is otherwise rendered as unreadable, unusable or undecipherable

On the other hand, HB 1071 will clarify how a data breach notification may be provided to impacted individuals and the types of information that must be disclosed to the state’s attorney general (if notification is otherwise warranted by the size and nature of the breach).

Expanding the Class of Reportable Breaches

The underlying purpose of any data breach notification law is to enable victims to undertake measures that reduce the probability their compromised information will be used to commit identify theft or other harm. For example, criminals can exploit an individual’s stolen personal information to create new financial accounts, issue fraudulent identity documents, and even submit falsified tax records to seek government-issued refunds.

Accordingly, the majority of U.S. data breach notification laws define “personal information” in terms of an individual’s name, in connection with his or her (i) Social Security number, (ii) driver’s license or other state identification card number, or (iii) certain financial information. Given the sensitivity of personal information and the harm that may result from its unauthorized access or acquisition, state data breach laws generally require organizations to notify individuals if this information is compromised.

Of particular importance, HB 1071 expands the definition of personal information beyond the above mentioned three categories to include, among others, the following types of data:

  • Full date of birth
  • Student, military or passport identification numbers
  • Health insurance policy or identification numbers
  • Biometric data (e.g., fingerprint, retina scans)
  • Online identifiers in combination with a password or security information that would permit access to an online account

HB 1071 also defines personal information as any of these data elements disconnected from an individual’s name, if the data is not encrypted, redacted or otherwise rendered unusable, and the data “would enable a person to commit identity theft against a consumer.”

Washington state joins North Dakota in providing one of the few domestic legal frameworks that includes a person’s date of birth in the definition of personal information – the compromise of which may result in a notification obligation and potential liability. This raises particular concerns in terms of data breach risk, given how broadly organizations can access and retain this information. For example, individuals often post information about their birthday on social media platforms, and office “birthday parties” have become commonplace. Although the Washington law provides an exception for publicly available information, this exception only applies if the information was lawfully made public from federal, state or local government records (and not by the individual).

Thus, an organization subject to Washington’s data breach law will have to notify an individual if his or her name and date of birth (or any other data element identified above) are compromised in a breach.

Limiting the Notification Timeframe

The earlier that victims of a data breach are notified, the sooner they can take steps to mitigate the risk of harm. Accordingly, HB 1071 defines and limits the timeframe in which an organization must notify a Washington resident of a data breach. Under the current law, if an organization must notify an affected consumer or the attorney general of a data breach, it must do so “in the most expedient time possible and without unreasonable delay,” but in “no more than forty-five calendar days after the breach was discovered,” unless an exception delineated in the law applies. Pursuant to HB 1071, these notifications must be issued “in the most expedient time possible without unreasonable delay, and no more than thirty calendar days after the breach was discovered,” unless an exception applies.

Washington’s law follows other states’ recently enacted or amended data breach response laws. For example, Colorado’s amended law, which went into force in 2018, provides the same 30-day breach notification timeframe. Of course, these timeframes are substantially different from those imposed by the European Union’s General Data Protection Regulation as well as certain requirements governing financial services that require data breach notifications to occur within 72 hours of the incident.

Preparing for the Worst: Data Breach Response Plans and Best Practices

Businesses should establish and continuously test their data breach response plans as a best practice, as well as to account for their evolving data privacy and cybersecurity requirements. Often, a data breach response plan addresses:

  • how, and to whom, individuals may report a suspected data incident;
  • the composition, authority and framework of a data incident response team responsible for containing and resolving an incident;
  • the retention of outside counsel and other external experts and consultants;
  • default incident communication statements and notifications; and
  • contacts at law enforcement, regulatory, consumer protection and insurance agencies.

Not only is an effective data incident response plan needed to ensure organizations are in compliance with data breach notification laws, it is essential for minimizing reputational damage and other costs that may result from a data breach.