Washington Lawmakers Clear Breach Law Amendments to Set 45-Day Notice Deadline

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

April 14 — The Washington Senate April 13 unanimously approved a bill that would make the failure to notify consumers of a breach in the security of their personal information a violation of the state Consumer Protection Act.

The House March 4 unanimously passed the bill, which would require notification to affected state residents as quickly as possible and no later than 45 days after discovery of a breach of personal information .

The proposed legislation now heads to Gov. Jay Inslee (D) for consideration.

Attorney General Notice.

H.R. 1408 would also amend the state's data breach notification statute, which was adopted in 2005, to require that covered entities also notify the office of the state attorney general of breaches.

Washington Attorney General Bob Ferguson (D), who requested the legislation, said in an April 13 statement that he was “thrilled to see the Legislature agree on these common-sense updates” to the breach notice statute.

“Nearly every day, we hear of another troubling compromise of sensitive personal information. Protecting consumers is one of my top priorities, and the sooner they know their data has been compromised, the more they can do to minimize that damage,” Ferguson said.

Under the bill, the attorney general could bring an action on behalf of the state or consumers living in Washington to enforce the statute. The state's Consumer Protection Act, at Wash. Rev. Code. ch. 19.86, provides for actual damages, costs and fees as well as court-ordered treble damages not to exceed $25,000.

Encryption Provision Modification.

The bill would amend the breach statute to make clear that breaches of personal data in any form are covered by the law.

In addition, a blanket exemption from the law for encrypted data has been replaced with a risk of harm threshold that doesn't require notice if the personal information at issue has been “secured” under means that include encryption at least as strong as the federal National Institute of Standards and Technology standard “or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.”

H.B. 1078, as cleared by the Legislature, is available at http://lawfilesext.leg.wa.gov/biennium/2015-16/Pdf/Bills/House%20Bills/1078-S.E.pdf.