Skip to main content


Click here to review text of state statute 

[For specific rules applicable to state agencies – see Wash. Rev. Code §42.56.590 et seq.]

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of Washington residents.

[Effective March 1, 2020: Additional elements:

Any other numbers that can be used to access a person’s financial account.

Full date of birth

Private key that is unique to an individual and that is used to authenticate or sign an electronic record

Student, military, or passport ID number

Health insurance policy number or health insurance ID number

Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer

Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual.

User name or email address in combination with a password or security questions and answers that would permit access to an online account

Any of the data elements or any combination of the data elements described without the consumer’s first name or first initial and last name if: (a) Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; or (b) the data element or combination of data elements would enable a person to commit identity theft against a consumer.

Important definitions:

Security Breach” means unauthorized acquisition of data (in any form) that compromises the security, confidentiality or integrity of personal information maintained by the person or business.

Secured” means encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable or undecipherable.

Covered Entities* / Third Party Recipients

Subject to statute:

Any person or business that conducts business in Washington and that owns or licenses data (in any form) that includes personal information.

Third party recipients:

Any covered entity that maintains data (in any form) that includes personal information that the covered entity does not own or license must notify the owner or licensee of the information of any security breach immediately following discovery of the breach.

Notice Procedures & Timing / Other Obligations

Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, but not later than forty-five (45) days after discovery of the security breach, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).

[Effective March 1, 2020:   Time for notice is changed to no later than 30 calendar days]

  • Notice to affected residents is required to contain specific content described in statute.
  • Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
  • Notice not required if the security breach is not reasonably likely to subject consumers to a risk of harm.

Other exemptions, cont’d:

A covered entity subject to HIPAA is exempt.  Such covered entities will notify the Attorney General in the event of a security breach.

Financial institutes subject to federal interagency guidelines are exempt. Such covered entities will notify the Attorney General in the event of a security breach.

[Effective March 1, 2020: If the breach of security of the system involves PI including a user name and or password, notice may be provided electronically or by email.  If the breach involves login credentials of an email account furnished by the entity, notice may be provided using another method – not to that email address.   The notice must inform the person whose PI has been breached to promptly change the account’s password and security question and answer question, as applicable, or to take appropriate steps to protect the online account with the entity and all other online accounts for which the person whose PI has been breached uses the same username or email address and password or security question and answer.]

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor: Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is secured (e.g. encryption or redaction).  Safe harbor not available if a confidential process, encryption key or other means to decipher the secured information is compromised.

Other exemptions:

Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity so long as the personal information is not used or subject to further unauthorized disclosure.

A covered entity is deemed in compliance with the Washington statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Washington statute.

Notification to Regulator / Waiver

Attorney General must be notified at the same as notice to residents if a single breach results in notification to more than 500 residents.

Notification must be submitted electronically and include the number (or estimate) of affected Washington residents and a sample copy of the notification to consumers.

[Effective March 1, 2020: Notification must also contain a list of the types of PI that were or are reasonably believed to have been the subject of a breach; a timeframe of exposure, if known, including the date of the breach and the date of discovery of the breach; and a summary of steps taken to contain the breach.]

A determination of no likelihood of harm:

Does not require notification to Attorney General.

waiver of the statute is void and unenforceable.


Violations are an unfair or deceptive act in trade or commerce and an unfair method of competition.

Private Cause of Action / Enforcement

Private Cause of Action: Yes.

Enforcement by Attorney General and individuals.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute [For specific rules applicable to state agencies – see Wash. Rev. Code §42.56.590 et seq.]

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints