Shortly after the proposed Washington Privacy Act (SB 5367) failed to pass the legislature, Washington is now set to revise its existing data breach law. HB 1071, which passed the legislature on April 22, 2019 and is awaiting the Governor’s signature, would substantially expand the definition of personal information, impose new breach notification requirements such as shortening the period for reporting data breaches, and make various other important revisions. These changes will increase the number of reportable breaches.
Expansion of Personal Information. Under the new law, the definition of personal information in Washington will be expanded to include:
- Full date of birth;
- Individual private keys used to authenticate or sign electronic records;
- Student, military and passport ID numbers;
- Health insurance policy and ID numbers;
- Medical information;
- Biometric data generated by automatic measurements;
- Financial account numbers combined with “any other numbers or information that can be used to access a person’s financial account.”
This is in addition to the long-standing Washington definition of personal information, which covers first name or first initial and last name in combination with a social security number, driver’s license or state ID number, and financial account numbers plus an access code or password.
New Breach Notification Requirements. Breach notifications must now meet the following additional requirements:
- Notice must be provided to affected consumers no more than 30 days after breach discovery, rather than the previous period of 45 days.
- Breach notifications must include “a time frame of exposure, including the date of the breach and date of the discovery of the breach.”
- Where the breach involves personal information including a user name or password, notice may be provided electronically or by mail, unless the breach involved login credentials of an email account. The notice must direct the consumer to change their password and security questions and answers.
- Notice to the Attorney General (where required) must be provided within 30 days and include a summary of steps taken to contain the breach. The notice must be updated if any of the mandatory notice information is unavailable when the notice is provided.
This statutory update has received less attention than the unsuccessful Washington Privacy Act due to its more limited scope, but the expanded requirements and definitions it contains are important to practitioners.