Washington Enacts Breach Law Update: 45-Day Deadline, Attorney General Notice

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

April 23 — Washington Gov. Jay Inslee (D) April 23 signed a bill (H.R. 1078) that makes the failure to notify consumers of a breach in the security of their personal information a violation of the state Consumer Protection Act.

The Senate April 13 unanimously approved the measure, which requires notification to affected state residents as quickly as possible and no later than 45 days after discovery of a breach of personal information.

New Enforcement Provisions 

The House March 4 unanimously passed the bill, which also requires covered entities to notify the office of the state attorney general of breaches.

Under the new law, the attorney general is authorized to bring an action on behalf of the state or consumers living in Washington to enforce the statute.

The state's Consumer Protection Act, at Wash. Rev. Code. ch. 19.86, provides for actual damages, costs and fees as well as court-ordered treble damages not to exceed $25,000.

Risk of Harm Trigger 

H.R. 1408 amends the state's data breach notification statute, which was adopted in 2005.

The new law also makes clear that breaches of personal data in any form, not just computerized data, are covered under the breach notice requirements.

In addition, a blanket exemption from the statute for encrypted data has been replaced with a risk of harm threshold that doesn't require notice if the personal information at issue has been “secured” under means that include encryption at least as strong as the federal National Institute of Standards and Technology standards or the personal information is modified so that it “is rendered unreadable, unusable, or undecipherable by an unauthorized person.”

H.B. 1078, as cleared by the Legislature and signed into law , is available at http://lawfilesext.leg.wa.gov/biennium/2015-16/Pdf/Bills/House%20Bills/1078-S.E.pdf.


Request Bloomberg Law: Privacy & Data Security