On April 22, the Washington State Legislature passed H.B. 1071, a bill designed to strengthen the state’s data breach notification law. The bill, which will take effect March 1, 2020, if and when signed, includes the following amendments:
1. Expands the definition of “personal information” – Previously, “personal information” was limited to an individual’s name, in combination with any of the following data elements:
- Social Security Number;
- Driver’s license or Washington State identification card number; or
- Full account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual’s financial account.
H.B. 1071 broadens this definition and considers personal information to be an individual’s name, in combination with any of the following expanded list of data elements:
- Social Security Number;
- Driver’s license or Washington State identification card number;
- Full account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual’s financial account, or any other numbers or information that can be used to access a person’s financial account;
- Full date of birth;
- Private key that is unique to an individual that is used to authenticate or sign an electronic record;
- Student, military, or passport identification number;
- Health insurance policy number or insurance identification number;
- Certain medical history and information; and
- Certain biometric data.
H.B. 1071 also expands the definition to include a username or email address in combination with a password or security questions and answers that would permit access to an online account.
2. Shortens the deadline to notify impacted residents – H.B. 1071 shortens the deadline to notify from forty-five calendar days to thirty calendar days after the breach was discovered. The proposed bill maintains that notification can be delayed at the request of law enforcement.
3. Shortens the deadline to notify the Attorney General – The bill mandates that covered entities that are required to issue data breach notifications to more than 500 Washington residents as a result of a single breach to notify the A.G. within thirty days of discovering the breach. Previously, covered entities were required to notify the A.G. by the time notice was provided to affected residents. With the new provision, covered entities may be able to notify the A.G. after notifying consumers, provided the A.G. is notified within the thirty-day limitation.
4. Amends notification content requirements – For data breach notifications issued to impacted Washington residents, the bill requires the notice to include the “time frame of exposure,” including the date of the breach and the date the breach was discovered. The bill also modifies the information that must be included in the A.G. notice. Once the law takes effect, the A.G. notice must include:
(a) The number of Washington consumers affected by the breach;
(b) The time frame of exposure, including the date of the breach and the date of the discovery of the breach;
(c) A summary of steps taken to contain the breach; and
(d) A copy of the data breach notification to Washington residents.
5. Introduces new requirements when login credentials are compromised – For breaches involving a username or password, the bill mandates that the notice inform the impacted individual to change his or her password and security question or answer, or to take other appropriate steps to protect all online accounts for which the person uses the same credentials. Additionally, where the breach involves login credentials of an email account provided by the covered entity, the covered entity may not provide notification to that email address. Rather, the notice must be provided by written or substitute notice.
From a practical perspective, once the law comes into effect, the number of incidents that trigger Washington’s data breach notification requirements will undoubtedly increase. The new definition of “personal information” will now touch on incidents that have previously fallen outside the scope of the states’ data breach notification law, which has historically been limited to incidents compromising Social Security Numbers, driver’s license or identification numbers, and/or account numbers and passcodes. Although many of the new changes will not be unique to Washington (e.g., North Dakota also considers date of birth as “personal information”), the passage of H.B. 1071 illustrates the ever-expanding scope of U.S. data breach notification requirements and privacy laws in general. As with what happened once the California Consumer Privacy Act was enacted, it would not be surprising to see other states follow in Washington’s footsteps. Indeed, North Carolina is already considering a similar update to its data breach notification law.
Companies tracking data breach notification requirements as part of their incident response plans, policies, and procedures should be prepared to update their materials to account for these changes.