Changing Data Breach Laws: Washington
Last spring, Washington State Governor Jay Inslee signed into law House Bill 1071. As reported on the Hunton Andrew Kurth’s Privacy & Information Security Law blog, this law amends the state’s data breach notification law by:
- Expanding the definition of personal information.
- Allowing notification by email.
- Expanding the content required for notification.
- Tightening the timeline required for notifying affected individuals and the state attorney general.
Signed: May 7, 2019
Effective: March 1, 2020
Read the full text of the HB 1071 regulation here.
Alignment with Previously Identified Trends in Changing Data Breach Laws
This new regulation aligns with three recently identified trends published in the RadarFirst 2020 regulatory trends ebook:
Expanding Scope of Personal Information
How a regulation defines personal information significantly impacts what could potentially trigger a breach notification obligation.
The scope of what qualifies as personal information has continued to expand since the first data breach notification law went into effect in California in 2003.
In 2019, several states added online credentials and/or biometric data.
With the passage of HB 1071, Washington follows this trend by expanding the scope of personal information to also include online credentials and biometric data—similar to the New York SHIELD Act.
Specifying Notification Content
In most states, the first wave of data breach notification laws did not typically specify what information must be included in a notice to affected individuals. More recently, we’ve seen an emergence of notification content requirements as states amend their general breach notification statutes.
In 2019, six states added this specificity: Delaware, Massachusetts, New Jersey, New York, Ohio, and South Carolina.
Washington’s amended law follows this trend by requiring that notification content to affected individuals includes:
- How long the breached information was exposed.
- The date the breach occurred.
- The date the breach was discovered.
The Requirement to Notify the State Attorney General
State attorneys general themselves are the driving force behind this growing trend. Not only do their offices help consumers deal with the repercussions of a data breach, they also investigate data security lapses and enforce data breach notification laws. Keeping abreast of data breaches is critical to performing this work.
In 2019, four states added a requirement to notify the attorney general in the event of a breach: Arkansas, Massachusetts, Maryland, and New York.
When HB 1071 takes effect, notice to Washington’s state attorney general must include:
- The types of information breached
- How long the breached information was exposed
- The actions taken to contain the breach.
In addition, the timeline for individual and AG notification has been shortened from 45 to 30 days.
What Does This Mean for Privacy Professionals?
With all the movement in state, federal, and global data breach notification regulations, navigating the complex and ever-changing data breach law landscape means staying on top of pending and recently passed legislation and identifying common themes in changing regulations.
It also means establishing an incident response process that takes inefficiency and guesswork out of the equation. A mature incident response process will be:
- Defensible: You need to be able to show consistent, objective multi-factor risk assessments and well-documented criteria for your decisions whether to notify or not.
- Universal: Your risk assessment and response need to take into account all the laws that may apply in each separate incident.
- Fast and accurate: Your team needs to arrive at the right notification decision in time to meet compliance deadlines for every applicable regulation and jurisdiction.
Topics: Breach Notification Laws