As reported by Bloomberg Law, on May 7, 2019, Washington State Governor Jay Inslee signed a bill (HB 1071) amending Washington’s data breach notification law. The new requirements include the following:

  • Expanded Definition of Personal Information. HB 1071 expands the definition of “personal information.” Washington’s breach notification law previously defined personal information as an individual’s name in combination with the individual’s Social Security number, state identification card number, or financial account or credit or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. HB 1071 adds the following data elements to the definition, when compromised in combination with an individual’s name:
    • full date of birth;
    • private key that is unique to an individual and that is used to authenticate or sign an electronic record;
    • student, military or passport identification number;
    • health insurance policy number or health insurance identification number;
    • any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
    • biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that is used to identify a specific individual.

The expanded definition also includes any of these data elements or combination thereof without the consumer’s name if the data is not encrypted or redacted, or if the data would enable a person to commit identity theft. Further, the expanded definition now includes “username or email address in combination with a password or security questions and answers that would permit access to an online account” (without an individual’s name).

  • Method of Notification. HB 1071 provides that if the breach involves a username or password, an entity may provide notice by email. Such notice “must inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account” the individual has with the entity “and all other online accounts for which the person…uses the same username or email address and password or security question and answer.” The law provides that if the breach involves the login credentials of an account furnished by the entity, the entity may not provide notification to that email address.
  • Additional Content Requirements for Notification. HB 1071 expands the required content for breach notification by requiring that notice to affected individuals includes, among other details, a time frame of exposure of the relevant personal information, if known, including the date of the breach and the date of discovery of the breach. In addition, notice made to the Attorney General (if the breach affects more than 500 Washington residents) must include additional content, including a list of the types of information affected by the breach, the time frame of exposure (including the date of the breach and the date the breach was discovered), a summary of steps taken to contain the breach and a sample copy of the notice to affected individuals.
  • Timing of Notification. The law tightens the timing requirement for notification to affected individuals and the Attorney General, as applicable, from 45 days to 30 days.
  • Updates to Regulator Notification. HB 1071 provides that an entity must provide updated notice to the Attorney General, as applicable, if information required to be disclosed pursuant to the law is unknown at the time notice is due.

The amendments take effect March 1, 2020.