December 2, 2022

Volume XII, Number 336

Advertisement

December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Washington Law Expands State Data Breach Notification Obligations

On April 23, Washington Governor Jay Inslee signed a bill that strengthens the state’s notification requirements in the event of a data breach. The new law makes it a violation of Washington’s Consumer Protection Act for a company to fail to notify state residents affected by a data breach, computerized or otherwise.

The measure—which goes into effect on July 24—will apply to people and companies doing business in Washington that own or license personal information of state residents. In the event of a security breach of a system storing such data, the new law requires covered entities to provide notice to affected individuals as soon as possible and no later than 45 days after the breach is discovered (unless otherwise requested by Washington law enforcement officials). However, if the data at issue in the potential breach is encrypted and does not include decryption keys or other similar ways to access the secured data, the notification requirements are waived subject to an analysis of the risk of likely harm. The law requires the breach notice to be written in plain language and include the type of information at risk and contact information for the appropriate credit reporting agencies.

In addition, the law requires such companies to notify the state attorney general of similar breaches and gives enforcement power to the Washington attorney general. The attorney general can bring actions on behalf of affected consumers or the state under Washington’s Consumer Protection Act, and covered entities could be liable for actual damages, costs, and fees in the form of treble damages up to $25,000.

Finally, the bill includes federal preemption language for those entities that have obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Graham-Leach-Bliley Act. So long as entities covered under those federal laws comply with applicable guidelines and notify the Washington state attorney general of such actions, they will be deemed in compliance with the requirements under the new Washington law.

Copyright © 2022 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume V, Number 131
Advertisement
Advertisement
Advertisement

About this Author

Vito Petretti, Morgan Lewis, Technology Lawyer
Partner

Vito Petretti’s practice focus is technology and outsourcing matters. Clients regularly turn to him to draft and negotiate domestic and international outsourcing service agreements for a variety of business processes, such as information technology, finance and accounting, human resources, and procurement. Within the realm of information technology, Vito drafts and negotiates agreements for software licensing, hardware purchases and leases, data licensing and subscriptions, website hosting and development, and other technology-related agreements, including system...

215-963-5001
Advertisement
Advertisement
Advertisement