Privacy and Security
Washington’s New Data Breach Notification
Law Takes Effect July 24
By
Randy
Gainer
[July 2005]
The new Washington data breach notification statute,
Chapter 368, Laws of 2005, takes effect July 24, 2005. Section II
of the law requires businesses and individuals in Washington that
own or license computerized data that includes “personal information”
to notify state residents whose unencrypted personal information
is reasonably believed to have been acquired by an unauthorized
person. The statute requires that notices be sent in “the
most expedient time possible and without unreasonable delay.”
Notice may be delayed if a delay would serve the legitimate needs
of law enforcement. If the cost of separately notifying each person
whose personal information may have been taken will exceed $250,000,
substitute notice by posting disclosure of the breach on a web site,
by notifying statewide media or by emailing customers, is permitted.
The Washington data breach notice requirements are modeled on California
Civil Code §1798.82, which was enacted in 2000. Eleven states,
so far, have adopted data breach notification laws (Arkansas, Florida,
Georgia, Illinois, Indiana, Minnesota, Montana, North Dakota, and
Delaware, in addition to Washington and California). Similar proposed
statutes are pending in five other states (Connecticut, Nevada,
Pennsylvania, Rhode Island and Tennessee).
For purposes of these laws, “personal information”
is generally defined to mean an individual’s first name (or
first initial) and last name in combination with one or more of
the following data, when either the name or the additional data
are not encrypted: (1) social security number, (2) driver’s
license number or identification card number, or (3) credit or debit
card account number in combination with any security code, access
code or password that would permit access to the individual’s
account.
These statutes are obviously intended to encourage businesses to
encrypt personal information. It is often impractical, however,
for businesses to encrypt information that flows through their data
processing applications. On the other hand, the laws have encouraged
some businesses to encrypt back-up files that contain personal information
so that, if back-up tapes or other back-up media are stolen or misplaced,
the businesses do not need to notify customers.
To comply with the new Washington data breach notification law
and similar state laws, businesses that use computerized personal
information should adopt policies that regulate access to personal
information and they should implement processes to audit who accesses
the information. Such businesses should also have formal incident
response policies that address, among other things, who will decide
if notice is appropriate and whether the business will take additional
steps to assist its customers, such as paying for fraud alerts for
persons whose personal information was stolen.
On June 29th, U.S. Senators Arlen Specter (R – PA) and Patrick
Leahy (D – VT) introduced S. 1332, a bill to adopt a federal
“Personal Data Privacy and Security Act.” The proposed
federal act addresses broader issues than state data breach notification
laws. For example, it would provide assistance to state and local
law enforcement to combat crimes related to fraudulent and criminal
use of personal information. Section IV. B. of the proposed federal
act would, however, adopt federal data breach notification requirements
that would preempt state data breach laws. Businesses that use computerized
personal information covered by current state data breach notification
laws must, of course, comply with the state laws until or unless
the Specter-Leahy bill or some other preemptive federal law is enacted.
Davis Wright Tremaine advises businesses regarding many legal issues
related to data security, including data breach notification requirements.
If you have questions regarding these matters, please contact Randy
Gainer, a partner in DWT’s Seattle office (206.628.7660) or
any of the contacts listed below.
Contact Information
Other
Contacts:
Eric
Jenkins, Anchorage, (907) 257-5300, ericjenkins@dwt.com
Lance
Koonce,
New York, (212) 489-8230, lancekoonce@dwt.com
Bruce
Johnson,
Seattle, (206) 622-3150, brucejohnson@dwt.com
Ronnie
London,
Washington, D.C., (202) 508-6600, ronnielondon@dwt.com
This Advisory is a publication of the Privacy and Security Group of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent privacy and security developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.
Copyright © 2005, Davis Wright Tremaine LLP.
return to Advisory Bulletins
main page
|
