Washington State Amends Data Breach Law

Passage of H.B. 1078 sets a 45-day notification deadline, adds additional notice requirements

Washington Governor Jay Inslee signed H.B. 1078 into law on April 23, revising the state’s data breach notification statute and imposing additional notification requirements on businesses that suffer an unauthorized disclosure of “personal information” (PI). The new bill does the following:

• Expands coverage to hard copy data as well as electronic or “computerized” data;
• Requires notification of the Washington Attorney General if more than 500 Washington residents are required to be notified;
• Imposes a 45-day deadline for notification of affected consumers and, when required, of the Washington Attorney General;
• Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act;
• Mandates certain content in the consumer notification, including the name and contact information of the reporting business, a list of the types of PI subject to the breach, and the toll-free telephone numbers and addresses of consumer reporting agencies;
• Introduces a safe harbor for PI that is "secured" or encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard “or is Otherwise modified so that it is rendered unreadable, unusable, or undecipherable by an unauthorized person;” and
• Adds language that exempts certain covered entities from compliance if they otherwise comply with certain federal laws.

The bill will go into effect July 24, 2015, and it makes the Evergreen State the third state to amend its consumer data breach notification statute this year, following recent changes by Wyoming and Montana. Given the high level of current attention on data breach issues, however, H.B. 1078 likely will not be the last bill this year to amend a data breach notification statute.