Washington overhauls data breach law
Last week Washington Governor Jay Inslee signed Washington House Bill 1071 (“HB 1071”) into law. HB 1071 revises the Washington state data breach law to, among other things, shorten the time period for data breach notification to 30 days. Other states, including North Carolina and Oregon, have filed similar bills in their legislatures that would strengthen state data privacy protections and shorten the time frame for an organization to complete notice.
Among the most significant changes to the Washington data breach law, HB 1071 requires notification to the affected individuals to be completed within 30 days, but allows a delay of an additional 14 days for the notification to be translated to the primary language of the affected consumer. HB 1071 also requires notification to be made to the Washington attorney general within 30 days in the event that more than 500 Washington residents are impacted by the breach. Amendments by HB 1071 require the attorney general notification to include information about the breach, including a summary of steps taken to contain the breach.
In addition to revising notice requirements, HB 1071 broadens the definition of “personal information.” Where previously the term “personal information” only included an individual’s first name or first initial and last name in combination with a Social Security number, driver’s license or state identification card number, or financial account information, the definition was expanded to include the following data elements, along with the individual’s name:
- Full date of birth.
- Private key that is unique to an individual and that is used to authenticate or sign an electronic record.
- Student, military, or passport identification number.
- Health insurance policy number or health insurance identification number.
- Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.
- Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.
The above data elements are also considered to be “personal information” without the individual’s name if encryption or redaction has not rendered the data element unusable or the data element or combination of data elements would enable a person to commit identity theft against the consumer.
The term “personal information” was also expanded to include a username or email address in combination with a password or security questions and answers that would permit access to an online account. Interestingly, in the event that the breach involves this type of personal information, then the company may provide the impacted individual with notice electronically or by email. The notice must comply with the written requirements, but must also advise the impacted individual how to take appropriate steps to protect the online account, or all other online accounts that the individual may use the same user name, password, or security questions. However, in the event that the breach includes login credentials for an e-mail account, the business is explicitly prohibited from providing notice to that e-mail address, and must provide notice via another method.
Educational institutions must also take note that Washington is among the first states to include “student identification number” into the definition of personal information. This could drastically increase data breach notifications for such organizations.
The changes to Washington law described here take effect on March 1, 2020, and we anticipate other states (such as North Carolina and Oregon which have similar pending bills) will pass their respective bills during their current sessions. Organizations that may be holding the personally identifiable information of individuals in any of these states must be aware of these changes, and react accordingly. Organizations should not wait until they are impacted by an information security incident to revisit their incident response plans and privacy policies, and should proactively review and update these documents. McDonald Hopkins’ Data Privacy and Cybersecurity team will continue to monitor the pending bills and provide updates on the constantly-changing state breach notification laws.