NB: This page summarizes current Washington law. However, Washington amended its data breach notification statute effective March 1, 2020. This page will be updated at that time.
Breach Based on Harm Threshold: YES
Deadline for Consumer Notice: Most expedient time possible without unreasonable delay, no more than 45 days*
Government Notification Required: YES, if >500 residents are notified*
Scope of this Summary
Form of Covered Info
Encryption Safe Harbor
Timing: Must be made in the most expedient time possible without unreasonable delay but no more than 45 calendar days after the breach was discovered, consistent with any measures to determine the scope of the breach and to restore the reasonable integrity of the system.
Content: Notice must be written in plain language and include: name and contact info of the covered entity; list of the types of covered info reasonably believed to have been affected by breach; and toll-free phone numbers and addresses of the major CRAs.
Method: By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
If more than 500 residents must be notified, must provide notice to the Attorney General prior to consumer notice. Notice must include an electronic copy of the consumer notice and the number of residents affected by the breach. While entities subject to HIPAA and federal banking regulators are generally exempt from this statute, they must still notify the state Attorney General.
*Wash. Admin Code 284-04-625: Licensees subject to state insurance regulations must notify state Insurance Commissioner about the number of consumers affected and measures taken in writing within two business days of determining notice must be sent to consumers under breach notification statute or 45 C.F.R. § 164.402. Additional notice requirements apply for breaches of PHI.