On April 22, 2019, Washington state legislators voted to send HB 1071 (the “Bill”) to Governor Jay Inslee for consideration. The Bill was requested by Attorney General Ferguson and would strengthen Washington’s data breach law. The request to amend the current law followed Attorney General Ferguson’s third annual Data Breach Report, which found that data breaches affected nearly 3.4 million Washingtonians between July 2017 and July 2018.

The Bill’s key amendments include:

  • Expanding breach notification requirements to more types of consumer information. At present, organizations that experience a breach must notify consumers only if the consumer’s name along with his or her Social Security number, driver’s license number, state ID number or financial account information is exposed. The Bill triggers notification obligations when a consumer’s name is compromised alongside:
    • Full date of birth;
    • Electronic signatures;
    • Certain identification numbers, including student ID numbers, military ID numbers, passport ID numbers or health insurance ID or policy numbers;
    • Medical history information;
    • Biometric data, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics; or
    • Usernames or email addresses in combination with passwords or security questions and answers.
  • Introducing a specific rule for breach of usernames and passwords. The Bill contains a specific rule for breaches relating to usernames and passwords. If such personal information is breached, the notice to affected consumers must inform them to promptly change their passwords, security questions and answers and to take other appropriate steps to secure the account and for all other accounts which the consumer uses the same username, email address and password or security questions and answers. If the notice concerns breached login credentials for an account that the company notifying furnished, the Bill specifies that the company cannot provide notice by emailing the compromised account; rather, the company must employ a substitute notice method, such as posting the notice on their website or alerting major statewide media.
  • Imposing a new notification deadline. The Bill reduces the current 45-day deadline to notify affected residents and the state attorney general of a breach to no later than 30 days following discovery.
  • Adding additional content requirements for notifications. The Bill mandates additional content requirements for notification on top of those already required in the current law. These include the date the breach occurred and the date of discovery. Additionally, the new requirements specify that notice to the attorney general (required if more than 500 Washington residents are affected by a single breach) must include (1) the timeframe of exposure, (2) a list of the types of personal information reasonably believed to have been the subject of the breach, (3) a summary of steps taken to contain the breach, and (4) a single sample copy of the security breach notification, excluding any personally identifiable information.

The bill is now before Governor Jay Inslee.