Davis Wright Tremaine LLP Davis Wright Tremaine LLP
Practice Areas - Privacy & Security
Home

Practice Areas - Privacy & Security
 

Legal Services

Advisory Bulletins & Publications

Attorneys

Useful Web Links

Privacy & Security Search
 

 
News to Use
Recruiting
DWT in the Community
Seminars & Training
Bookstore
Lawyer Directory
Office Locations
Search & Site Map

Advisory Bulletin return to Advisory Bulletin main page

Email this page to a colleague
Print version

Washington’s New Data Breach Notification
Law Takes Effect July 24

By Randy Gainer
[July 2005]

The new Washington data breach notification statute, Chapter 368, Laws of 2005, takes effect July 24, 2005. Section II of the law requires businesses and individuals in Washington that own or license computerized data that includes “personal information” to notify state residents whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. The statute requires that notices be sent in “the most expedient time possible and without unreasonable delay.” Notice may be delayed if a delay would serve the legitimate needs of law enforcement. If the cost of separately notifying each person whose personal information may have been taken will exceed $250,000, substitute notice by posting disclosure of the breach on a web site, by notifying statewide media or by emailing customers, is permitted. The Washington data breach notice requirements are modeled on California Civil Code §1798.82, which was enacted in 2000. Eleven states, so far, have adopted data breach notification laws (Arkansas, Florida, Georgia, Illinois, Indiana, Minnesota, Montana, North Dakota, and Delaware, in addition to Washington and California). Similar proposed statutes are pending in five other states (Connecticut, Nevada, Pennsylvania, Rhode Island and Tennessee).

For purposes of these laws, “personal information” is generally defined to mean an individual’s first name (or first initial) and last name in combination with one or more of the following data, when either the name or the additional data are not encrypted: (1) social security number, (2) driver’s license number or identification card number, or (3) credit or debit card account number in combination with any security code, access code or password that would permit access to the individual’s account.

These statutes are obviously intended to encourage businesses to encrypt personal information. It is often impractical, however, for businesses to encrypt information that flows through their data processing applications. On the other hand, the laws have encouraged some businesses to encrypt back-up files that contain personal information so that, if back-up tapes or other back-up media are stolen or misplaced, the businesses do not need to notify customers.

To comply with the new Washington data breach notification law and similar state laws, businesses that use computerized personal information should adopt policies that regulate access to personal information and they should implement processes to audit who accesses the information. Such businesses should also have formal incident response policies that address, among other things, who will decide if notice is appropriate and whether the business will take additional steps to assist its customers, such as paying for fraud alerts for persons whose personal information was stolen.

On June 29th, U.S. Senators Arlen Specter (R – PA) and Patrick Leahy (D – VT) introduced S. 1332, a bill to adopt a federal “Personal Data Privacy and Security Act.” The proposed federal act addresses broader issues than state data breach notification laws. For example, it would provide assistance to state and local law enforcement to combat crimes related to fraudulent and criminal use of personal information. Section IV. B. of the proposed federal act would, however, adopt federal data breach notification requirements that would preempt state data breach laws. Businesses that use computerized personal information covered by current state data breach notification laws must, of course, comply with the state laws until or unless the Specter-Leahy bill or some other preemptive federal law is enacted.

Davis Wright Tremaine advises businesses regarding many legal issues related to data security, including data breach notification requirements. If you have questions regarding these matters, please contact Randy Gainer, a partner in DWT’s Seattle office (206.628.7660) or any of the contacts listed below.


Contact Information

Randy Gainer

Author:
Randy Gainer
Seattle, Washington
(206) 628-7624
RandyGainer@dwt.com

Other Contacts:
Eric Jenkins, Anchorage, (907) 257-5300, ericjenkins@dwt.com
Lance Koonce, New York, (212) 489-8230, lancekoonce@dwt.com
 Bruce Johnson, Seattle, (206) 622-3150, brucejohnson@dwt.com
Ronnie London, Washington, D.C., (202) 508-6600, ronnielondon@dwt.com


This Advisory is a publication of the Privacy and Security Group of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent privacy and security developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2005, Davis Wright Tremaine LLP.

return to Advisory Bulletins main page

 

 

 

Davis Wright Tremaine LLP
Home | Practice Areas | News To Use | Recruiting | DWT in the Community
Seminars & Training | Bookstore | Lawyer Directory | Office Locations | Search & Site Map
Davis Wright Tremaine LLP Davis Wright Tremaine LLP