Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: Most expedient time possible without unreasonable delay, no more than 30 days*
Government Notification Required: YES, if >500 residents are notified*
Scope of this Summary
(1) First name or first initial and last name, plus: Social Security number; driver's license or state identification card number; financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a resident's financial account; full date of birth; a unique private key the resident uses for electronic signatures; student, military, or passport ID number; health insurance or medical information; or biometric data;
(2) any of the elements in (1) without a name if the information would allow a person to commit identity theft against a resident; or
(3) a username or email address in combination with a password or security question and answer that would permit access to an online account
Form of Covered Info
Encryption Safe Harbor
Timing: Must be made in the most expedient time possible without unreasonable delay but no more than 45 calendar days after the breach was discovered, consistent with any measures to determine the scope of the breach and to restore the reasonable integrity of the system.
Content: Notice must be written in plain language and include: name and contact info of the covered entity; list of the types of covered info reasonably believed to have been affected by breach; a time frame of exposure, if known, including the date of the breach and the date it was discovered; and toll-free phone numbers and addresses of the major CRAs. If information permitting access to an online account is compromised, notice must include directions to change access credentials and/or other steps to protect all online accounts using the same credentials.
Method: By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied. By email if the breach involves a username or password, except that if the breach involves the login credentials of an email account provided by the covered entity then notice cannot be provided to that email address.
If more than 500 residents must be notified, must provide notice to the Attorney General within 30 days of discovering the breach. Notice must include a summary of steps taken to contain the breach and a sample copy of the consumer notice. This notice must be updated if any required information is unknown at the time the notice is due. While entities subject to HIPAA and federal banking regulators are generally exempt from this statute, they must still notify the state Attorney General.
*Wash. Admin Code 284-04-625: Licensees subject to state insurance regulations must notify state Insurance Commissioner about the number of consumers affected and measures taken in writing within two business days of determining notice must be sent to consumers under breach notification statute or 45 C.F.R. § 164.402. Additional notice requirements apply for breaches of PHI.