Washington Data Breach Notification Law (HB 1071)
What Is Washington Data Breach Notification Law (HB 1071)?
Passed in 2019, Washington state’s new data breach notification law, known as “HB 1071”, expands the circumstances in which organization must disclose certain data security incidents.The law requires businesses to notify impacted individuals of a breach of their Personal Information within 30 days and to notify the state attorney general if the breach affects more than 500 Washingtonians.
How Does the Washington Data Notification Law Define “Personal Information”?
The law defines “personal information” as an individual’s name in connection with his or her (i) Social Security number, (ii) driver’s license or other state identification card number, or (iii) certain financial information. Additionally, it also includes the following types of data:
A security breach is defined as “an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of that resident’s personal information.”
What Businesses Are Subject to the Washington Data Notification Law?
HB 1071 applies to any person or business that conducts business in Washington and that owns, licenses, or maintains (but does not own) data that includes personal information on Washington residents.
Key requirements within the Washington Data Notification Law
Who Enforces the Law and What Are the Penalties for Non-Compliance?
The Washington state attorney general has the authority to enforce the Washington Data Breach Notification Law. Since the law has only been in effect since March 1, 2020, specific details on penalties for non-compliance remain to be seen.