Data Privacy Map - Washington

Highlights

Covered Entities: Any person or business that conducts business in this state and that owns, licenses, or maintains data that includes personal information.

Consumer Notification: Notification to affected consumers under this section must be made in the most expedient time possible, without unreasonable delay, and no more than thirty (30) calendar days after the breach was discovered, unless the delay is at the request of law enforcement or the delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Regulatory Notification: Any person or business that is required to issue a notification pursuant to this section to more than five hundred (500) Washington residents as a result of a single breach shall notify the attorney general of the breach no more than thirty days after the breach was discovered.

Notification Timeline: Notification to consumers without unreasonable delay, and no more than thirty (30) calendar days after the breach was discovered. Notice to the attorney general of the State no more than thirty (30) days after the breach was discovered.

Data Format: Paper or electronic.

Citations: Wash. Rev. Code §§ 19.255.005 – 040

More Details

Definitions:

• Breach: The unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
• Personal Information (PI):
  • An individual's first name or first initial and last name in combination with any one or more of the following data elements:
    • Social security number;
    • Driver's license number or Washington identification card number;
    • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
    • Full date of birth;
    • Private key that is unique to an individual and that is used to authenticate or sign an electronic record;
    • Student, military, or passport identification number;
    • Health insurance policy number or health insurance identification number;
    • Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or
    • Biometric data generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.
  • Username or email address in combination with a password or security questions and answers that would permit access to an online account.
  • Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if:
    • Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
    • The data element or combination of data elements would enable a person to commit identity theft against a consumer.
• Medical Information: Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer.
• Health Insurance Information: Health insurance policy number or health insurance identification number.

Safe Harbors:

• Encryption: Notification is not required if encryption, redaction, or other methods have rendered the data element or combination of data elements unusable.
• Good Faith: Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure.
• Risk of Harm: Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.
• Law Enforcement Delay: The notification may be delayed if the data owner or licensee contacts a law enforcement agency after discovery of a breach and a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

Direct Notice:

• Timing: Notification to affected consumers under this section must be made in the most expedient time possible, without unreasonable delay, and no more than thirty (30) calendar days after the breach was discovered, unless the delay is at the request of law enforcement or the delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
• Format: The notification must be written in plain language and the notification must include statutorily proscribed content.
• Content: Notification must include:
  • The name and contact information of the reporting person or business subject to this section;
  • A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
  • A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; and
  • The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.

Method:

(1) Written Notice or (2) Email Notice. If the breach involves personal information including a username or password, notice may be provided electronically or by email. The notice must inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer;

However, when the breach involves login credentials of an email account furnished by the entity, the entity may not provide the notification to that email address but must provide notice using another method. The notice must inform the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.

Substitute Notice:

Substitute notice may be used if the entity demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following:

• Email notice when the person or business has an email address for the subject persons;
• Conspicuous posting of the notice on the website page of the person or business, if the person or business maintains one; and
• Notification to major statewide media

Remediation Services:

N/A

Regulatory Notice:

Any person or business that is required to issue a notification pursuant to this section to more than five hundred (500) Washington residents as a result of a single breach shall notify the attorney general of the breach no more than thirty (30) days after the breach was discovered.

• The notice to the attorney general shall include the following information:
  • The number of Washington consumers affected by the breach, or an estimate if the exact number is not known;
  • A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
  • A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach;
  • A summary of steps taken to contain the breach; and
  • A single sample copy of the security breach notification, excluding any personally identifiable information.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

Any person or business that maintains or possesses data that may include personal information that the person or business does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

HIPAA:

A covered entity under HIPAA is deemed to have complied with the requirements of this chapter with respect to protected health information if it has complied with section 13402 of the federal Health Information Technology for Economic and Clinical Health Act (HITECH). Covered entities shall notify the attorney general in compliance with the timeliness of notification requirements of section 13402 of the federal HITECH Act.

Private Action:

Any consumer injured by a violation of this chapter may institute a civil action to recover damages.

Associated Regulations:

Wash. Rev. Code § 42.56.590.