On April 13, 2015, the Senate of Washington State unanimously passed legislation strengthening the state’s data breach law. The bill (HB 1078) passed the Senate by a 47-0 vote, and as we previously reported, passed the House by a 97-0 vote.

The bill includes the following amendments to Washington’s existing data breach notification law:

  • Requires notification to the state attorney general in the event of a breach;
  • imposes a 45-day deadline for notification to affected residents and the state attorney general;
  • mandates content requirements for notices to affected residents, which must include (i) the name and contact information of the reporting business, (ii) a list of the types of personal information subject to the breach, and (iii) the toll-free telephone numbers and address of the consumer reporting agencies;
  • expands the current law to cover hard-copy data as well as “computerized” data;
  • introduces a safe harbor for personal information that is “secured,” which is defined to mean the data is encrypted in a manner that “meets or exceeds” the National Institute of Standards and Technology standard or is otherwise “modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person”; and
  • adds federal preemption language that would exempt certain covered entities from having to comply with Washington’s breach law.

The bill will now head to Governor Jay Inslee for consideration.

Update: On April 23, 2015, Governor Jay Inslee signed the bill into law.