Washington Data Breach Notification Law (HB 1071)
How Does the Washington Data Notification Law Define “Personal Information”?
The law defines “personal information” as an individual’s name in connection with his or her (i) Social Security number, (ii) driver’s license or other state identification card number, or (iii) certain financial information. Additionally, it also includes the following types of data:
- Full date of birth
- Student, military or passport identification numbers
- Health insurance policy or identification numbers
- Biometric data, including fingerprinting, retina scans, and facial geometry.
- Online identifiers (e.g. email address) in combination with a password or security information that would permit access to an online account.
- Any other data elements disconnected from an individual’s name, if the data is not encrypted, redacted, or otherwise rendered unusable, and the data “would enable a person to commit identity theft against a consumer”
What Businesses Are Subject to the Washington Data Notification Law?
Key requirements within the Washington Data Notification Law
Notify any resident of Washington if his or her personal information was, or is reasonably believed to have been, subject to a data breach within 30 days of the breach being discovered.
Have a data breach response plan that addresses:
- how, and to whom, individuals may report a suspected data incident;
- the composition, authority, and framework of a data incident response team responsible for containing and resolving an incident;
- the retention of outside counsel and other external experts and consultants;
- default incident communication statements and notifications; and
- contacts at law enforcement, regulatory, consumer protection, and insurance agencies.
Provide notice of a breach to the Attorney General’s office when the breach affects more than 500 Washintonians. The notice must include the following:
- A list of the types of personal information that were or are reasonably believed to have been breached;
- If known, the time frame of exposure, including the date of the breach and the date of the discovery of the breach;
- A summary of steps taken to contain the breach; and
- A copy of the breach notification sent to affected residents.
- The notice must be sent within 30 days of the breach being discovered.