On April 23, Gov. Jay Inslee signed amendments to Washington state’s data breach notification law. The amendments strengthen protections to consumers and mandate a new time frame and reporting requirements for alerting consumers of a data breach. The new law goes into effect on July 24. Key changes include:
- A 45-day timeframe for notifying consumers of a data breach;
- Extension of protection to personal information contained in hard-copy form;
- Reporting requirements triggered even if the data was encrypted, if the means to decipher the secured information were also obtained;
- Reporting exemptions for entities cooperating with an ongoing criminal investigation or complying with the federal Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) reporting requirements; and
- Reporting requirements to the Attorney General’s office and explicit enforcement powers for the Attorney General.
Anyone doing business in Washington should be aware of the new requirements. They apply to any individual, business or agency that conducts business in the state and owns or licenses consumers’ personal information. The previous statute only required notification if electronic records were breached, whereas the new law applies to information kept both in electronic media and hard-copy form. In the event of a security breach that compromises Washington consumers’ personal information, notice must be made to affected consumers “in the most expedient time possible and without unreasonable delay, no more than forty-five calendar days after the breach was discovered.” Also, notice is required even when the personal information acquired or accessed was encrypted, if the means to decipher the secured information was obtained. Any required notice must meet the following minimum requirements:
- Notice must be written in plain language;
- Notice must include the name and contact information of the individual or entity whose security system was breached;
- Notice must include a list of the types of personal information that were or are reasonably believed to have been the subject of a breach; and
- Notice must include toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
Only limited exemptions are allowed. Notification may be delayed beyond 45 days if the data owner or licensee contacts and informs a law enforcement agency of the breach and a law enforcement agency determines that notification would impede a criminal investigation. Persons or entities that are covered by HIPAA and in compliance with its notification requirements, and specific financial institutions in compliance with the notification requirements of GLBA, are deemed in compliance with Washington’s consumer notification requirements. Additionally, notice is not required if the breach of the security system is not reasonably likely to subject consumers to risk of harm.
The Attorney General, who requested enhancements to the prior data breach statute, appears poised to take a significant role in enforcement. In addition to requiring notification to consumers, the amendments mandate notice to the Attorney General when a data breach affects more than 500 Washington residents. Notice to the Attorney General is also required in addition to HIPAA and GLBA compliance. The new law also provides that the Attorney General may bring an enforcement action under the Consumer Protection Act by either bringing an action in the name of the state or as parens patriae on behalf of Washington consumers. Individual consumers remain able to initiate a civil action for damages.