Washington Governor Jay Inslee recently signed into law amendments to the state’s data breach notification law that expand it to cover non-computerized data and introduce an attorney general notification requirement in the event there are more than 500 Washington residents impacted by the breach. Washington did not previously have an attorney general notification requirement.
Other changes include introducing a requirement that consumers and the Attorney General be notified in the “most expedient time possible and without unreasonable delay” but in no event more than 45 days after a breach is discovered, as well as content requirements for the notice to consumers, including providing contact information for credit reporting agencies and the types of information impacted by the breach. It excepts from notification requirements “secured” data, which is defined as data that is “encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.”
Full amendments to the law can be viewed here. The amendments go into effect July 24, 2015.
TIP: Washington joins a growing number of states that have strengthened their data breach notification laws in recent years to include, among other requirements, notice to state authorities and content requirements for breach notices.