Click here to review text of state statute
[For specific rules applicable to state agencies – see Wash. Rev. Code §42.56.590 et seq.]
Information Covered / Important Definitions
Personal information of Washington residents.
Definition also includes a username or email address in combination with a password or security questions and answers that would permit access to an online account, and an individual’s first initial and last name in combination with (i) full date of birth, (ii) private key that is unique to an individual and that is used to authenticate or sign an electronic record, (iii) student, military, or passport identification number, (iv) health insurance policy number or health insurance identification number, (v) information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer or (vi) biometric data generated by automatic measurements of an individual’s biological characteristics such as fingerprint, voiceprint, retinas, irises, or other unique biological patterns or characteristics. Any of the data elements described above are personal information without the first initial and last name if encryption methods have not been rendered, or the data element would enable a person to commit identify theft.
“Security Breach” means unauthorized acquisition of data (in any form) that compromises the security, confidentiality or integrity of personal information maintained by the person or business.
“Secured” means encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable or undecipherable.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or business that conducts business in Washington and that owns or licenses data (in any form) that includes personal information.
Third party recipients:
Any covered entity that maintains or possess data (in any form) that may include personal information that the covered entity does not own or license must notify the owner or licensee of the information of any security breach immediately following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, but not later than 30 days after discovery of the security breach, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- If the security breach involves personal information including a user name or password, notice may be provided electronically or by email. However, iI the security breach involves login credentials of an email account, the person or business must provide notice using another method.
- Notice not required if the security breach is not reasonably likely to subject consumers to a risk of harm.
Other exemptions, cont’d:
A covered entity subject to HIPAA is exempt. Such covered entities will notify the Attorney General in the event of a security breach.
Financial institutes subject to federal interagency guidelines are exempt. Such covered entities will notify the Attorney General in the event of a security breach.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor: Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is secured (e.g. encryption or redaction). Safe harbor not available if a confidential process, encryption key or other means to decipher the secured information is compromised.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity so long as the personal information is not used or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Washington statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Washington statute.
Notification to Regulator / Waiver
Attorney General must be notified no more than 30 days after the breach was discovered if a single breach results in notification to more than 500 residents.
Notification must be submitted electronically (which may be via online portal) and include the number (or estimate) of affected Washington residents, a list of the types of personal information that were or are reasonably believed to have been the subject of a breach, a time frame of exposure if known, a summary of steps taken to contain the breach, and a sample copy of the notification to consumers.
A determination of no likelihood of harm:
Does not require notification to Attorney General.
A waiver of the statute is void and unenforceable.
Violations are an unfair or deceptive act in trade or commerce and an unfair method of competition.
Private Cause of Action / Enforcement
Private Cause of Action: Yes.
Enforcement by Attorney General and individuals.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute [For specific rules applicable to state agencies – see Wash. Rev. Code §42.56.590 et seq.]