Washington State’s New Data Breach Notification Law Takes Effect This Friday (July 24)
Washington State’s new data breach notification law (RCW 19.255.010) takes effect Friday, July 24, bringing important changes that all companies doing business in Washington should be aware of. Overall, the new law reflects evolution in the data breach legal landscape (first and foremost with consumer expectations) since Washington State first enacted its data breach notification statute in 2005.
Broader Definition of Covered Information
The new statute broadens the law to require notification of a breach of personally identifiable information (“PII”) contained in non-electronic form, such as paper documents. Washington’s old notification law required notice only upon a breach of “computerized” data, but the word “computerized” has now been eliminated from the statute. This change codifies the recognition that data breaches are not just a hi-tech problem, and that many breaches result from the mishandling of paper records.
The new law also alters the encryption safe harbor. Before the changes, Washington did not require notice if the PII was “encrypted.” Seemingly recognizing that encryption technology and use can vary widely, and that merely encrypting data does not necessarily protect sensitive information, the new law provides further requirements. It replaces the word “encryption” with “secured,” defining “secured” to mean encrypted in a manner that meets or exceeds the NIST standard, or is otherwise “rendered unreadable, unusable, or undecipherable by an unauthorized person.” No notice is required if the breached PII was stored in a manner that meets this definition. However, the law requires notice of a breach of otherwise secured PII if the data was not “secured” throughout the breach (e.g. if any data was unsecured in transit), or if the process by which the data is secured (e.g. the encryption key) was acquired during the breach.
Changes to What Events Trigger Notice
Under Washington’s old notification statute, a company was not required to notify consumers of a “technical breach of a security system that d[id] not seem reasonably likely to subject consumers to a risk of criminal activity.” This language left many open questions, including what would qualify as criminal activity.
The new law no longer has this language, and instead adopts a risk of harm analysis more similar to what many other states have enacted. Now, Washington requires notification when a “breach of the security of the system” results in an unauthorized person acquiring PII, or a reasonable belief that such acquisition occurred. (This assumes, of course, that the data was not “secured” as explained above.) However, even if an event satisfies this trigger, Washington’s new law does not require notice if the breach is “not reasonably likely to subject consumers to a risk of harm.”
New Requirements When Providing Notice
In addition to adding some requirements for the contents of any notice (e.g. that it must be written in “plain language”), Washington now requires a company to notify the Attorney General if notice to more than 500 Washington residents is required. Many other states have similar requirements. Notifying the Attorney General can increase a company’s exposure as the Attorney General is expressly authorized to bring an enforcement action for violation of the notice statute (among other potential enforcement actions related to the breach itself).
Additionally, Washington has now adopted a time limit for providing notice. Washington’s old law merely required notice “in the most expedient time possible and without unreasonable delay.” The new law uses the same language, but requires notice “no more than 45 calendar days after the breach was discovered.” This is an important change as 45 days provides a short timeframe for a proper forensic investigation to be conducted. Thankfully, Washington allows notice to be delayed in two situations: (1) at the request of law enforcement; or (2) “due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data systems.”
Further, covered entities that comply with the notice requirement under HIPAA, and financial institutions that comply with applicable federal laws, like the Gramm-Leach-Bliley Act, are deemed to have complied with Washington’s new notification law. Importantly, however, they must still notify the Washington Attorney General if notice is provided to more than 500 Washington residents under those federal laws.
As this brief summary shows, navigating Washington’s data breach notification law requires the knowledge and expertise of experienced counsel. Riddell Williams’ Privacy and Data Security Group is well apprised of the latest developments in this area, and is happy to discuss Washington’s new data breach notification law and other related issues with you. Please contact us at:
News Alert (PDF)