On May 7, 2019, Washington amended its data breach notification law (HB 1071). The amendment shortens the period in which notice must be provided, expands the definition of personal information, adds further content requirements for notification letters, and changes the way in which notifications must be delivered in certain circumstances.
Timing of Notice. The amendment shortens the period during which notice must be provided to residents and the attorney general from forty-five (45) to thirty (30) days after the discovery of the breach.
Personal Information. The definition of personal information is expanded to include, in combination with first name or first initial and last name:
- Full date of birth;
- A unique private key that is used to authenticate or sign an electronic record;
- Student, military, or passport identification number;
- Health insurance policy number or health insurance identification number;
- Information related to a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; and
- Biometric data generated by automatic measurements (e.g., fingerprint, eye retinas).
Personal information also includes any of the data elements listed above, whether alone or in combination with each other, without first name or first initial and last name if the data is not protected and access to such data would allow a person to commit identity theft. Lastly, personal information includes username or email address in combination with a password or security questions and answers that would permit access to an online account.
Content Requirements. Under the amendment, businesses are required to include in resident notifications “the time frame of exposure, if known, including the date of the breach and the date of discovery of the breach.” Further, the amendment adds the following content requirements to notifications sent to the attorney general:
- Types of personal information that were or reasonably believed to be affected;
- Time frame of exposure, including the date of breach and the date of discovery;
- Summary of steps taken to contain the breach; and
- A sample copy of the breach notification letters to individuals.
Notifications to the attorney general must be updated if any of the information above changes.
Delivery Method. The amendment allows businesses to provide notice of the breach to residents electronically or by email when the personal information affected includes a username or password. The notification must meet certain requirements, including recommending to affected residents that they change their password and security question or answer or use other methods to protect the online account and all other online accounts for which the login information is the same as the breached account.
If, however, the breach involves login credentials of an email account, the amendment prohibits notifications from being provided to that email address and requires another delivery method to be used.
The amendment takes effect March 1, 2020.
