Skip to content ↓ | Skip to navigation ↓

The Washington legislature has passed a bill that effectively expands the state’s consumer data breach notification requirements.

The Washington State Capitol (Source: Wikipedia)

Previously, Washington-based organizations needed to notify consumers of a data breach only in the event that the security incident exposed users’ names in combination with their Social Security Numbers, driver’s license numbers, state ID numbers or financial account information.

This new law, HB 1071, changes that. Now, victim organizations need to notify consumers if a digital attacker obtains a user’s name in combination with their full birth dates, health insurance ID numbers, medical history, student ID numbers, military ID numbers, passport ID numbers, usernames and passwords, biometric data (such as DNA profiles or fingerprints) or electronic signatures. They must do so by writing a data breach notification letter that specifically identifies which data types the incident exposed along with the security event’s date, the discovery date, the duration of the breach and the estimated number of Washingtonians who were affected.

Additionally, HB 1071 also shortens the time period in which organizations are required to notify Washington’s Attorney General of a data breach from 45 days to 30 days.

Washington’s state legislature passed this law after data breaches affected 3.4 million Washingtonians between July 2017 and July 2018, thereby constituting a 26 percent increase over the previous year. Given this finding, Attorney General Bob Ferguson feels that HB 1071 is well-timed. As he explains in a press release:

My office has seen the number of Washingtonians impacted by data breaches increase year after year. Data breaches are a serious threat to our privacy, and this law will arm consumers with information to protect their sensitive data.

Even so, Washington’s state legislature has yet to pass SB 5376, a bill which would empower Washington citizens to learn more about the types of data which companies are collecting, storing and selling about them. This bill overwhelmingly cleared Washington’s Senate floor earlier in 2019 after a vote of 46 to 1. As of this writing, the bill has yet to make it to the floor of the House.