• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

Washington State Amends Data Breach Notification Law

May 18, 2019 By Dorian Simmons

On May 7, 2019, Washington amended its data breach notification law (HB 1071). The amendment shortens the period in which notice must be provided, expands the definition of personal information, adds further content requirements for notification letters, and changes the way in which notifications must be delivered in certain circumstances.

Timing of Notice. The amendment shortens the period during which notice must be provided to residents and the attorney general from forty-five (45) to thirty (30) days after the discovery of the breach.

Personal Information. The definition of personal information is expanded to include, in combination with first name or first initial and last name:

  • Full date of birth;
  • A unique private key that is used to authenticate or sign an electronic record;
  • Student, military, or passport identification number;
  • Health insurance policy number or health insurance identification number;
  • Information related to a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; and
  • Biometric data generated by automatic measurements (e.g., fingerprint, eye retinas).

Personal information also includes any of the data elements listed above, whether alone or in combination with each other, without first name or first initial and last name if the data is not protected and access to such data would allow a person to commit identity theft. Lastly, personal information includes username or email address in combination with a password or security questions and answers that would permit access to an online account.

Content Requirements. Under the amendment, businesses are required to include in resident notifications “the time frame of exposure, if known, including the date of the breach and the date of discovery of the breach.” Further, the amendment adds the following content requirements to notifications sent to the attorney general:

  • Types of personal information that were or reasonably believed to be affected;
  • Time frame of exposure, including the date of breach and the date of discovery;
  • Summary of steps taken to contain the breach; and
  • A sample copy of the breach notification letters to individuals.

Notifications to the attorney general must be updated if any of the information above changes.

Delivery Method. The amendment allows businesses to provide notice of the breach to residents electronically or by email when the personal information affected includes a username or password. The notification must meet certain requirements, including recommending to affected residents that they change their password and security question or answer or use other methods to protect the online account and all other online accounts for which the login information is the same as the breached account.

If, however, the breach involves login credentials of an email account, the amendment prohibits notifications from being provided to that email address and requires another delivery method to be used.

The amendment takes effect March 1, 2020.

Filed Under: Cybersecurity, Data Breach, Legislation, Security Breach

About Dorian Simmons

Dorian Simmons is an associate in the Technology & Privacy Group. Dorian focuses his practice on technology transactions and data privacy issues. He assists clients with technology contracting and procurement, and privacy and data security-related matters.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy