Guide to

Washington Data Breach Notification Law (HB 1071)

What Is Washington Data Breach Notification Law (HB 1071)?

Passed in 2019, Washington state’s new data breach notification law, known as “HB 1071”, expands the circumstances in which organization must disclose certain data security incidents. The law requires businesses to notify impacted individuals of a breach of their Personal Information within 30 days and to notify the state attorney general if the breach affects more than 500 Washingtonians.

How Does the Washington Data Notification Law Define “Personal Information”?

The law defines “personal information” as an individual’s name in connection with his or her (i) Social Security number, (ii) driver’s license or other state identification card number, or (iii) certain financial information. Additionally, it also includes the following types of data:

  • Full date of birth
  • Student, military or passport identification numbers
  • Health insurance policy or identification numbers
  • Biometric data, including fingerprinting, retina scans, and facial geometry.
  • Online identifiers (e.g. email address) in combination with a password or security information that would permit access to an online account.
  • Any other data elements disconnected from an individual’s name, if the data is not encrypted, redacted, or otherwise rendered unusable, and the data “would enable a person to commit identity theft against a consumer”

A security breach is defined as “an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of that resident’s personal information.”

What Businesses Are Subject to the Washington Data Notification Law?

HB 1071 applies to any person or business that conducts business in Washington and that owns, licenses, or maintains (but does not own) data that includes personal information on Washington residents.

Key requirements within the Washington Data Notification Law

  • Notify any resident of Washington if his or her personal information was, or is reasonably believed to have been, subject to a data breach within 30 days of the breach being discovered.
  • Have a data breach response plan that addresses:
  • how, and to whom, individuals may report a suspected data incident;
  • the composition, authority, and framework of a data incident response team responsible for containing and resolving an incident;
  • the retention of outside counsel and other external experts and consultants;
  • default incident communication statements and notifications; and
  • default incident communication statements and notifications; and
  • Provide notice of a breach to the Attorney General’s office when the breach affects more than 500 Washintonians. The notice must include the following:
  • A list of the types of personal information that were or are reasonably believed to have been breached;
  • If known, the time frame of exposure, including the date of the breach and the date of the discovery of the breach;
  • A summary of steps taken to contain the breach; and
  • A copy of the breach notification sent to affected residents.
  • The notice must be sent within 30 days of the breach being discovered.

Who Enforces the Law and What Are the Penalties for Non-Compliance?

The Washington state attorney general has the authority to enforce the Washington Data Breach Notification Law. Since the law has only been in effect since March 1, 2020, specific details on penalties for non-compliance remain to be seen.

Washington Data Breach Notification Law: Frequently Asked Questions

Personally identifiable information (PII) under the Washington law includes an individual’s first name or first initial and last name combined with any one or more of the following data elements when not encrypted:

  • Social Security Number (SSN)
  • Driver’s license number or Washington identification card number
  • Account number or credit or debit card number in combination with any required security code, access code, or password
  • Full date of birth
  • Private key that is unique to an individual and used to authenticate or sign an electronic record
  • Medical and health insurance identification numbers
  • Any information about a consumer’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
  • Biometric data
  • Any combination of username or email address with a password or security question and answer that would permit access to an online account

A notification requirement is triggered when there is unauthorized access to and acquisition of unencrypted personal information that is reasonably believed to have been accessed and acquired by an unauthorized person, and that access creates a risk of harm to the affected individuals.

Affected individuals must be notified as soon as possible, but no later than 30 days after the discovery of the breach. The notification must be made in the most expedient time possible without unreasonable delay, considering the time needed to determine the breach’s scope and restore the reasonable integrity of the data system.

The notification must include:

  • The date of the breach
  • A description of the personal information that was compromised
  • Contact information for the entity that experienced the breach
  • A toll-free telephone number for individuals to call for more information
  • Information on what the entity is doing to address the breach
  • Steps individuals can take to protect themselves from identity theft

Yes, if the compromised data was encrypted or if the data was accessed in good faith by an employee or agent of the organization (and the information is not used or further disclosed), notification may not be required. However, if the breach involves encrypted data and the encryption key has been compromised, the notification requirement is still triggered.

Non-compliance with the Washington Data Breach Notification Law can result in legal action by the state Attorney General. The penalties may include civil penalties and additional damages for affected consumers. Organizations may also face reputational damage and loss of consumer trust.

Yes, if a breach affects more than 500 Washington residents, the organization must also notify the Washington Attorney General within 30 days of discovering the breach. The notification to the Attorney General must include the number of Washington residents affected, a copy of the notice sent to individuals, and any steps the entity is taking to remedy the situation.

Yes, if a law enforcement agency determines that notification would impede a criminal investigation, the notification can be delayed. However, the organization must document the reason for the delay and must provide notification as soon as the law enforcement agency indicates that it will not interfere with the investigation.

If a third-party service provider experiences a data breach involving personal information of Washington residents, it is required to notify the data owner or licensee of the breach immediately. The data owner or licensee is then responsible for fulfilling the notification obligations to the affected individuals and the Attorney General, if applicable.

The Washington Data Breach Notification Law is specific to Washington state, but organizations must also consider the notification requirements of other states where affected individuals reside. Additionally, certain breaches may also trigger requirements under federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), depending on the type of information compromised.

The law does not specifically mandate that businesses offer credit monitoring services to affected individuals. However, providing such services can be a best practice to help mitigate the risks to affected individuals and can demonstrate good faith efforts in responding to the breach.

Hyperproof makes meeting Washington Data Breach Notification Law requirements simple

  • Seamlessly map Washington Data Breach Notification Law controls to multiple regulatory standards for comprehensive compliance
  • Integrate effortlessly with your existing productivity tools to streamline workflows
  • Quick and automatically collect and document evidence to demonstrate your adherence to Washington’s Data Breach Notification law requirements
  • Reuse collected evidence across various compliance frameworks to simplify the documentation process and reduce audit fatigue
  • Pinpoint and prioritize critical data protection workflows to maintain robust security and compliance standards
Get a Demo

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader