Washington Data Breach Notification Law (HB 1071)

Passed in 2019, Washington state’s new data breach notification law, known as “HB 1071”, expands the circumstances in which organization must disclose certain data security incidents.The law requires businesses to notify impacted individuals of a breach of their Personal Information within 30 days and to notify the state attorney general if the breach affects more than 500 Washingtonians.

How Does the Washington Data Notification Law Define “Personal Information”?

The law defines “personal information” as an individual’s name in connection with his or her (i) Social Security number, (ii) driver’s license or other state identification card number, or (iii) certain financial information. Additionally, it also includes the following types of data:

  • Full date of birth
  • Student, military or passport identification numbers
  • Health insurance policy or identification numbers
  • Biometric data, including fingerprinting, retina scans, and facial geometry.
  • Online identifiers (e.g. email address) in combination with a password or security information that would permit access to an online account.
  • Any other data elements disconnected from an individual’s name, if the data is not encrypted, redacted, or otherwise rendered unusable, and the data “would enable a person to commit identity theft against a consumer”

A security breach is defined as “an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of that resident’s personal information.”

What Businesses Are Subject to the Washington Data Notification Law?

HB 1071 applies to any person or business that conducts business in Washington and that owns, licenses, or maintains (but does not own) data that includes personal information on Washington residents.

Key requirements within the Washington Data Notification Law

  • Notify any resident of Washington if his or her personal information was, or is reasonably believed to have been, subject to a data breach within 30 days of the breach being discovered.

  • Have a data breach response plan that addresses:

    • how, and to whom, individuals may report a suspected data incident;
    • the composition, authority, and framework of a data incident response team responsible for containing and resolving an incident;
    • the retention of outside counsel and other external experts and consultants;
    • default incident communication statements and notifications; and
    • contacts at law enforcement, regulatory, consumer protection, and insurance agencies.

  • Provide notice of a breach to the Attorney General’s office when the breach affects more than 500 Washintonians. The notice must include the following:

    • A list of the types of personal information that were or are reasonably believed to have been breached;
    • If known, the time frame of exposure, including the date of the breach and the date of the discovery of the breach;
    • A summary of steps taken to contain the breach; and
    • A copy of the breach notification sent to affected residents.
    • The notice must be sent within 30 days of the breach being discovered.

Who Enforces the Law and What Are the Penalties for Non-Compliance?

The Washington state attorney general has the authority to enforce the Washington Data Breach Notification Law. Since the law has only been in effect since March 1, 2020, specific details on penalties for non-compliance remain to be seen.
Image

Get the latest from Hyperproof

Stay ahead of the risk and compliance curve. Get the latest regulation updates and analysis, guidance on achieving continuous compliance, and exclusive opportunities. Sign up for Hyperproof's bimonthly newsletter.
Stay in-the-know