Share this article on:
A new data breach notification law (HB 1071 / SB 5064) has been unanimously passed by the Washington legislature and awaits Washington Governor Jay Inslee’s signature. The law broadens the definition of personal information and shortens the timescale for issuing notifications to 30 days.
Currently, data breach notification laws in Washington only require entities to issue notifications in the event of a breach of a state resident’s name along with a Social Security number, state ID, driver’s license number, or credit/debit card number.
The updated breach notification law will also require notifications to be issued in the event of a breach of the following data elements:
- Full date of birth
- Military ID numbers
- Biometric data
- Passport ID numbers
- Student ID numbers
- Medical histories
- Health insurance ID numbers
- Usernames and email addresses in combination with a password or answers to security questions that would allow an account to be accessed.
- Keys for electronic signatures
With the exception of online account credentials, the new data elements could be classed as personal information even if they are not combined with an individual’s first and last name.
Notifications will need to be issued if one or more of the above data elements is compromised and has not first been made unusable – through encryption – and if the breach of that information is reasonably likely to place an individual at risk of harm.
The timescale for issuing notifications has been reduced from 45 days to 30 days after the discovery of a breach, although notifications should be issued in the most expedient time possible and without unreasonable delay. A notification must also be sent to the state Attorney General within the same timeframe.
As is the case in California, the new data breach notification law stipulates the information that must be included in breach notification letters. The letters must state the date of the breach, the discovery date, its duration (if known), and the types of information that were compromised or exposed. The Attorney General notification must also include the number of state residents affected (or an estimate if the actual number is not known) and the steps that have been taken to contain the breach.
Healthcare organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to be in compliance with the new breach notification law if they are in compliance with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.