Legislature Unanimously Passed the New Washington Breach Notification Law

The Washington legislature unanimously passed a new data breach notification law (HB 1071 / SB 5064) and the bill simply awaits the signature of Washington Governor Jay Inslee. The law expands the personal information definition and sets 30 days for issuing breach notifications.

At present, the Washington data breach notification laws call for the issuance of notifications only in cases where there is a breach of a state resident’s name together with a state ID, Social Security number, credit/debit card number or driver’s license number.

Under the new breach notification law, notifications will also be required if there’s a breach of these data elements:

  • Complete date of birth
  • Military ID numbers
  • Biometric information
  • Student ID numbers
  • Passport ID numbers
  • Health insurance ID numbers
  • Medical histories
  • Usernames and email addresses along with a password or security question answers that will allow the access of an account
  • Keys for electronic signatures

Except online account credentials, the above data elements may be classified as personal information even though they’re not coupled with an person’s first and last name.

Notifications must be issued in case of a compromise of one or more of the listed data elements, which were not encrypted, and if the breached information could likely put a person at risk of hurt.

The time period for the issuance of notifications was changed from 45 to 30 days after discovering a breach. Nevertheless, notifications must still be given in the fastest time possible and with no unreasonable delay. The state Attorney General should also be notified within the same time period.

Just as is the case in California, the new data breach notification law states the data that need to be put in breach notification letters. The letters should point out the date when the breach happened, the discovery date, its time frame (if identified), and the compromised or exposed types of data. The Attorney General notification should likewise include how many state residents were affected (or an approximation if the actual number is unknown) and the actions that were taken to manage the breach.

Healthcare organizations under the Health Insurance Portability and Accountability Act (HIPAA) will be considered compliant with the new breach notification law when they are already comply with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.