WBK Industry News - State Regulatory Developments

Washington Modifies Provisions Regarding Security Breaches

The state of Washington recently modified its provisions relating to the breach of security systems protecting personal information.  Aside from the removal of numerous old definitions and references to now-obsolete sections of the code, the bill introduces (among other items): (1) a new definition of “personal information” covered by the state’s data breach notification laws; (2) new rules regarding the timing and content of notifications of breach sent to affected customers and the attorney general; and (3) the addition of a new section which would allow the attorney general, or any consumer injured by a violation of data security laws, to institute a civil action to recover damages.  These provisions take effect on March 1, 2020.

The bill modifies the definition of “personal information” to include:

  1. An individual’s first name or first initial and last name in combination with one or more enumerated data elements, such as social security number or full date of birth;
  2. Any of the enumerated data elements, alone or in combination, without the consumer’s first name or first initial and last name, if encryption has not rendered the data elements unusable and if the data elements would enable a person to commit identity theft against a consumer; and
  3. A username and email address in combination with a password or security questions and answers that would permit access to an online account.

Additionally, the bill modifies the timing and content requirements regarding notices that people or businesses that own or license personal information must send out to consumers and the attorney general in the event of a data breach.  Similar changes have been made to the data breach provisions applicable to Washington state agencies.

Finally, the bill gives Washington’s attorney general the ability to bring an action in the name of the state, or on behalf of persons residing in the state, to enforce violations of the data breach notification laws.  Additionally, consumers injured by a violation of those laws may institute a civil action to recover damages.