Guide to

Washington Data Breach Notification Law (HB 1071)

What Is Washington Data Breach Notification Law (HB 1071)?

Passed in 2019, Washington state’s new data breach notification law, known as “HB 1071”, expands the circumstances in which organization must disclose certain data security incidents.The law requires businesses to notify impacted individuals of a breach of their Personal Information within 30 days and to notify the state attorney general if the breach affects more than 500 Washingtonians.

How Does the Washington Data Notification Law Define “Personal Information”?

The law defines “personal information” as an individual’s name in connection with his or her (i) Social Security number, (ii) driver’s license or other state identification card number, or (iii) certain financial information. Additionally, it also includes the following types of data:

Full date of birth
Student, military or passport identification numbers
Health insurance policy or identification numbers
Biometric data, including fingerprinting, retina scans, and facial geometry.
Online identifiers (e.g. email address) in combination with a password or security information that would permit access to an online account.
Any other data elements disconnected from an individual’s name, if the data is not encrypted, redacted, or otherwise rendered unusable, and the data “would enable a person to commit identity theft against a consumer”

A security breach is defined as “an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of that resident’s personal information.”

What Businesses Are Subject to the Washington Data Notification Law?

HB 1071 applies to any person or business that conducts business in Washington and that owns, licenses, or maintains (but does not own) data that includes personal information on Washington residents.

Key requirements within the Washington Data Notification Law

Notify any resident of Washington if his or her personal information was, or is reasonably believed to have been, subject to a data breach within 30 days of the breach being discovered.
Have a data breach response plan that addresses:

how, and to whom, individuals may report a suspected data incident;
the composition, authority, and framework of a data incident response team responsible for containing and resolving an incident;
the retention of outside counsel and other external experts and consultants;
default incident communication statements and notifications; and
default incident communication statements and notifications; and

Provide notice of a breach to the Attorney General’s office when the breach affects more than 500 Washintonians. The notice must include the following:

A list of the types of personal information that were or are reasonably believed to have been breached;
If known, the time frame of exposure, including the date of the breach and the date of the discovery of the breach;
A summary of steps taken to contain the breach; and
A copy of the breach notification sent to affected residents.
The notice must be sent within 30 days of the breach being discovered.

Who Enforces the Law and What Are the Penalties for Non-Compliance?

The Washington state attorney general has the authority to enforce the Washington Data Breach Notification Law. Since the law has only been in effect since March 1, 2020, specific details on penalties for non-compliance remain to be seen.