Washington Overhauls its Data Breach Notification Law
As we noted last month, Washington’s efforts to follow California’s lead in passing its own GDPR-like law have stalled after the bill failed to make its way through state’s House of Representatives—despite overwhelming approval in the Senate (where it passed 46-1). That bill’s sponsor has promised to revisit the issue during the 2020 legislative session.
Despite this roadblock on the consumer privacy front, Washington governor Jay Inslee signed a bill on May 7 (HB 1071) significantly expanding the state’s data breach notification law, RCW 19.255.01, et seq. There was little doubt that Governor Inslee would sign the bill into law, as it passed unanimously in both state legislative bodies.
Below is a summary of major changes to the state’s data breach notification law, and key takeaways for employers subject to Washington law. For a detailed explanation of the law’s new provisions—which will become effective March 1, 2020—please refer to this post.
Deadline to provide notice of breach shortened to thirty (30) days following discovery.
Under the current law (and until HB 1071’s amendments become effective on March 1, 2020), notice of a breach must be provided within 45 days of discovery. With the amendments, notice must be provided no more than thirty days after the organization discovers the breach. This applies to notices sent to affected consumers as well as to the state’s Attorney General. The threshold requirement for notice to the Attorney General remains the same—it is only required if 500 or more Washington residents were affected by the breach.
Thirty days may still sound like plenty of time, but it can often take several days, or even weeks, for an entity to determine the scope of a breach and compile a list of potentially affected consumers. And if the breach affected residents of more than one state, each state’s laws must be examined to ensure that the notices sent to each individual comport with the breach notification laws of that individual’s state of residence.
Definition of “personal information” significantly expanded.
The previous definition tracked the language used by the majority of states, and only covered breaches that included an individual’s first name (or initial) and last name, plus any one or more of the three “bare minimum” data elements— Social Security number, driver’s license or state ID number, and/or financial account or card number (with an access code or password that would permit access thereto).
With the amendment, Washington adds the following six additional data elements that will be considered “personal information” if combined with an individual’s first name or initial and last name:
- Full date of birth;
- Unique private key used to authenticate or sign an electronic record;
- Passport, military, or student ID number;
- Health insurance policy or identification number;
- Information about a consumer’s medical history, physical or mental health condition, or diagnosis or treatment by a health care professional; and,
- Biometric data (such as fingerprint or retina scans, voiceprints, or other unique biological patterns used to identify an individual).
Significantly, Washington law now considers an individual’s username (or email address) and password (or security questions sufficient to permit access to an account) to be “personal information” regardless of whether the individual’s name is included. Notice to affected consumers of a breach of this type may be provided electronically or by email (unless the affected account was the individual’s email account).
In addition, the new law provides that even without an individual’s first name or initial and last name, any one or more of the other data elements will be considered “personal information” if the element, or combination of elements, would permit a person to commit identity theft against the individual, and the data element(s) were not rendered unusable though encryption, redaction or other methods.
Finally, as discussed more thoroughly in this post, HB 1071 also added notice requirements for affected consumers and the Attorney General—though notice to the Attorney General is still not required unless 500 or more Washington residents were affected by the breach.
There are several takeaways for employers here:
- First, employers must be aware of the types of data elements the organization maintains on its employees (or other individuals, such as customers or clients), how that data is maintained, and what happens to that data when it is no longer needed.
- Employers should also examine the necessity of maintaining certain types of data, and consider narrowing the scope of data elements that the organization maintains by ceasing to collect and maintain unnecessary data—even if not currently listed in the state’s definition of “personal information.”
- Until now, Washington employers may not have been overly concerned with securing certain types of data, such as an employee’s date of birth or health insurance policy number. But once HB 1071’s amendments take effect, that information could trigger breach notification duties if subject to unauthorized access or disclosure.
- Finally, employers should ensure the organization has sound policies in place specifically to deal with sensitive data (e., “personal information”) deemed necessary to maintain.