In late April, Washington’s data-breach law was significantly amended. The changes go into effect July 31, 2015, and will change the law in the following seven ways:
- Specific information (e.g., name and contact information of reporting person or business and credit-reporting agencies) must be included in a data-breach notification. This is in line with Washington’s neighbor to the south, Oregon, which also specifies certain required content for notices.
- A breach notification must be sent out within 45 days after discovery unless (a) a law enforcement agency determines that the notification will impede a criminal investigation or (b) additional time is needed to evaluate the scope of the breach “and restore the reasonable integrity of the data system.” The latter exception is important from a practical perspective because it often takes several weeks for businesses to sort through what happened and provide accurate facts to affected people in a data-breach notification.
- The definition of “personal information” has expanded to include more than just “computerized” data. Expanding the scope of “personal information” will increase the number of situations where notification is required.
- References to “encrypted” are deleted and, in their place, the statute uses the term “secured,” which is defined to mean “encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.” This NIST standard is likely to change over time so businesses will have to periodically evaluate whether its data is “encrypted” under this statute.
- The state attorney general must be notified if more than 500 state residents are notified of a breach. Alerting the attorney general will have the effect of making the breach a public record, which may have significant PR/reputation implications for the business affected by the breach.
- The attorney general is explicitly authorized to bring civil actions—in the name of the state or the affected resident(s)—under the Washington consumer protection statute (which allows the state to recover penalties and attorneys fees).
- Entities are exempt from compliance if they are already compliant with certain federal data-security regulations.
Washington’s actions are consistent with a nation-wide trend by states to beef-up their data-breach notification statutes. If you have any questions about these changes, please feel free to contact us!