Washington’s Data Breach Law is Changing – Expanding Definition of “Personal Information” and Adding New Notification Requirements

Beginning on March 1, 2020, Washington State’s data breach notification law will change in a number of important ways. First, the definition of “Personal Information” will expand significantly. This means more data elements will be added to the list of data elements that can trigger notification obligations in a breach scenario. Second, an additional notification method will be available under certain circumstances. Third, the required contents of notifications will expand. Finally, the general time frame for notifications will be shorter. Here are the details:

Personal Information Expands

The definition of “Personal Data” will expand to include (when combined with the individual’s first name or first initial and last name):

  1. Full date of birth;
  2. Private key that is unique to the individual and that is used to authenticate or sign an electronic record;
  3. Student, military or passport ID number;
  4. Health insurance policy number or health insurance identification number;
  5. Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; and
  6. Biometric data generated by automatic measurements of an individual’s biological characteristics such as fingerprint, voiceprint, eye retinas, irises, or other unique biological patters or characteristics that is used to identify a specific individual.

The above elements will be added to the data elements currently included in the statute – (i) social security number; (ii) driver’s license or Washington ID card number; and (iii) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.  Additionally, the existing statutory language addressing the financial account data elements (mentioned in the previous sentence) will be expanded to include “… any other numbers or information that can be used to access a person’s financial account.”

Significantly, the new statutory language will also recognize as “Personal Information” any of the data elements mentioned above without an individual’s name or initials if (a) encryption, redaction or other methods have not rendered the data element or combination of data elements unusable, and (b) the data element or combination of data elements would enable a person to commit identity theft against a consumer.

One other addition to “Personal Information” under the upcoming law is any username or email address in combination with a password or security questions and answers that would permit access to an online account (without regard to the existence of any individual’s name or initials).

Additional Notification Method

Under the current statute, notice may be provided electronically if the notice is consistent with the provisions under federal law regarding electronic records and signatures.  Under the new statutory language, if the breach involves personal information including a user name or password, notice may be provided electronically or by email without qualification; however, if the breach involves login credentials for an email account furnished by the notifying party, the notice may not be sent to that email address (and must be sent by another method permitted under the statute).  Also, in any breach involving user name, password or login credentials, the notice must inform the person to promptly change his or her password and security question or answer, as applicable, or to take other appropriate steps to protect the online account and all other online accounts that use the same user name or email address and password or security question or answer.  This will be in addition to the other content, recipient and timing requirements under the new statutory scheme.

Notification Contents Expand

In addition to the information required under the current statute, notifying parties will also be required to inform individuals of a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach.  In any notice to the attorney general, notifying parties will (in addition to information currently required under the statute) be required to include (i) a list of the types of personal information involved, (ii) a time frame of exposure, if known, including date of breach and date of discovery, and (iii) a summary of steps taken to contain the breach.  Notifying parties will also be required to update any notice to the attorney general if any of the required information is unknown at the time the notice due.

Time Frame Shortens

The new statutory language will set an outside (not later than) time frame of thirty calendar days for notification to individuals and, where required, to the attorney general.  The new language will continue to permit delays in the notification to individuals where the delay is at the request of law enforcement or is due to measures necessary to determine breach scope and restore reasonable integrity of the data system.

Organizations handling data of Washington State residents should consider the breadth of the new “Personal Information” definition when assessing risk and reviewing the administrative, physical and technical safeguards they have in place to protect data.  The expanded definition of “Personal Information” will increase organizations’ costs and liability exposure related to any breach involving data of Washington State residents.

Bobby Turnage leads Sands Anderson’s Cybersecurity and Technology Team. If you have any questions about this post or any other information security issues, please reach out to Bobby or a member of the Cybersecurity and Technology Team.