Governor Signs Expanded Washington State Data Breach Law

On May 7, Washington Governor Jay Inslee signed new legislation that updates and expands the breach notification obligations of businesses that maintain the personal information of Washington citizens. The new provisions had been requested by Washington Attorney General Ferguson and unanimously passed both chambers of the Washington legislature. The new provisions will take effect on March 1, 2020.

The new law covers two main topics: (a) the scope of “personal information” that, if subject to unauthorized disclosure, triggers notice obligations; and (b) the timing and content of the required notices.

Expanded definition of “personal information”

Prior to the new legislation, Washington’s data breach law (Wash. Rev. Code §§ 19.255.010, et seq.: § 42.56.590) defined “personal information” for purposes of breach notification as a consumer’s name, along with her Social Security number, driver’s license number, state ID number and/or financial account information. The revised law expands this list to include the following additional information in combination with a consumer’s name: 

• Full birth date
• Health insurance ID numbers
• Medical history
• Student ID numbers
• Military ID numbers
• Passport ID numbers
• Online login credentials, such as usernames, passwords, and security questions
• Biometric data, such as DNA profiles or fingerprints
• Private encryption keys used for electronic signature

Policymakers justify these new elements on the grounds that unauthorized access to or disclosure of them could reasonably enable identity theft or other bad acts by an unauthorized person who had access to them in combination with the consumer’s name. The inclusion of biometric data and private encryption keys are both notable, however, in that – at least as of now – most data breach laws do not call out these specific items as “personal information” subject to protection.

Addressing re-identification. The new definition also addresses the risk that “de-identified” information could be re-identified, i.e., used to identify a specific person even though the data itself does not contain the person’s name or other information that directly identifies the person to whom the data relates. To address this issue, the revised definition of “personal information” includes any of the specified data elements (or combinations of them) without the consumer’s name if: (a) the data is not encrypted, and (b) it would “enable a person to commit identity theft against a consumer.”  

The law does not explain how an entity should decide whether exfiltrated data that does not include names would “enable a person to commit identity theft.” The issue can be complex because re-identification often depends on combining de-identified data with data from another, outside source of information. It will obviously be challenging for an affected entity to know what third-party, outside data sources might be available which, when combined with the hacked data, would permit identity theft to occur. For that reason, companies may wish to look at what outside data sources are reasonably available to third parties to help assess the likelihood that third parties could re-identify the data. At least for now, it appears that this issue will have to be addressed on a case-by-case basis.That said, by excluding encrypted information from this specific provision, the new law provides a strong incentive for businesses to encrypt any dataset that includes the elements identified above as personal information, even if it does not include consumers’ names.

Modified Notice requirements

The new law modifies and expands the notice obligations of entities subject to a data breach in several ways:

First, the required notice – to affected consumers and to the Attorney General – must occur within 30 days (rather than 45 days) from discovery of the breach. Note, however, that the new legislation did not affect the exception in existing law that permits delayed notification to consumers (but not the Attorney General) if law enforcement has been notified of the breach and requests that notification to the public be withheld while a criminal investigation is ongoing.

Second, the notice must now include the “time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach.” This addresses the common situation in which an entity whose data has been compromised may discover the problem only long after the breach began and, in some cases, only after active exfiltration of data has ceased.  

Third, the contents of a company’s notice to the Attorney General is expanded to include the timing-related data noted above, as well as a list of the types of personal information affected by the breach (which previously was only required for the consumer notice); a summary of the steps taken to contain the breach; and a sample of the notice to be provided to consumers. In addition, the law expressly obliges an entity reporting a breach to provide updates if any of the required information is not known at the time of the original report.

Fourth–and sensibly enough–the new law requires that if the breach involves a compromise of consumers’ login credentials (username, password, security questions) of an email account provided by the breached entity itself, the entity cannot use consumers’ compromised email accounts to provide them with notice.

Implementation

As noted above, the new law does not take effect until March 1, 2020. This reasonably long delay gives affected businesses at least some time to adjust their practices and procedures–such as the use of encryption for consumer data, and breach response protocols–to conform to the new requirements.