On May 7, 2019, Governor Jay Inslee of Washington signed HB 1071 into law, which strengthens the state’s data breach notification law. Washington joins the growing list of states that have recently amended their breach notification laws. Although Washington’s law was amended in 2015, the law was initially enacted nearly 14 years ago. This amendment, like those of other states, is designed to better align with the way in which consumers interact with technology today. As consumers share more information about themselves via the internet, states continue to place the onus on the companies and organizations collecting that information to guard against its loss or misuse.

Washington’s amendment expands upon the breach notification law in the following key ways:

  • First, it shortens the period between the discovery of a breach of consumers’ personal information (as defined by the law) and the time in which notification of the breach must be provided to those consumers from 45 days to 30 days. This change also applies to notifications to the attorney general, who now must be notified within 30 days after the breach was discovered, also down from 45 days (the requirement to notify the attorney general still only applies if notification must be provided to more than 500 Washington residents).
  • Second, the notification to the attorney general must now also include:
    • A list of the types of personal information implicated in the breach;
    • The timeframe of exposure, if known, including the date of the breach and the date of its discovery;
    • A summary of steps taken to contain the breach; and
    • A sample copy of the breach notification letter without any personally identifiable information.

In the event that more information becomes known as the investigation into the breach progresses, updates must be provided to the attorney general under the amended law.

  • Third, the amended law expands the definition of personal information to include the person’s first name or first initial and last name paired with one of the following elements: the full date of birth; health insurance policy or identification number; medical history, information about mental or physical condition, or a health care professional’s medical diagnosis or treatment; student, military, or passport number; private key used to authenticate or sign electronic records; or certain biometric data. For the biometric data element, the amended law refers to “biometric data generated by automatic measurements of an individual’s biological characteristics.” The law provides examples such as a fingerprint, voiceprint, retina, and iris.

Further, in an apparent attempt to maintain its effectiveness as consumers’ interactions with technology continue to rapidly evolve, the amended law does not require that a breach include the consumer’s name to trigger notification, so long as the loss of any one or a combination of the elements described above “would enable a person to commit identity theft” and these elements were not rendered unusable by encryption, redaction, or some other means. User name or email address in combination with a password or information that would permit access to an online account now also falls within the definition of personal information, even without an individual’s name.

This expansion is significant, as the prior law defined personal information to include only an individual’s name (first name or first initial and last name) in combination with one of the following elements: social security number; driver’s license number or Washington identification card number; or account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

As companies continue to collect increasing amounts of data on their consumers, it is crucial that they take into account the need to keep that data safe from theft or misuse. It is becoming increasingly likely that the failure to do so will result in the need to publicly notify those individuals affected, which could cause those companies to suffer both significant reputational and financial harm.