Washington state modifies its breach notification law

Photo by Ludomił on Unsplash

 

On April 22, 2019, the House of Representatives modified chapter 19.255 RCW to amend its data breach notification law.

The definition of “data breach” does not change. The security of the system means “unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

But HB 1071 introduced an expanded definition of “Personal information”, which now includes individuals’ first name or first initial and last name in combination with any one or more of the following data elements: (A) Social security number; (B) Driver’s license number or Washington identification card number; (C) Account number or credit or debit card number, in combination that would permit access to an individual’s financial account; (D) Full date of birth; (E) Private key that is unique to an individual and that is used to authenticate an electronic record; (F) Student, military, or passport identification number; (G) Health insurance identification number; (H) Any information about a consumer’s medical history or condition; or (I) Biometric data generated by automatic measurements of an individual’s biological characteristics.

Like before, a person or business is required to notify a data breach when more than five hundred (500) residents are affected but the deadline to notify the attorney general of the breach decreased to 30 days (instead of 45 days) after the breach was discovered.

If the breach of the security of the system involves personal information including a user name or password, notice may be provided electronically or by email.

HB 1071 expands on the required content for breach notification, which now also includes: a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; a summary of steps taken to contain the breach; and a single sample copy of the security breach notification, excluding any personally identifiable information.

The amendments will take effect on March 1, 2020.

 

Bill HB 1071 is available at http://lawfilesext.leg.wa.gov…

 

More on HB 1071 is available at https://app.leg.wa.gov…

 

For more information on how this data breach law may impact your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli