Data Protection Report - Norton Rose Fulbright

A more robust data breach notification law looks to make its way onto the books in the state of Washington as newly passed legislation was sent to Governor Jay Inslee’s desk earlier this week for final approval.  House Bill 1078, which has now passed both legislative houses by unanimous vote, if ultimately signed by the Governor, will bring about several notable changes to Washington State’s breach notification law, if and when it is signed into law.

Currently tending towards the middle of the pack relative to the other 46 states having enacted data breach laws, the breach notification law in the State of Washington, in its current form, is nothing extraordinary in terms of the legal obligations imposed upon a breached entity.  With House Bill 1078 on its way to becoming law, however, data owners suffering a breach affecting residents of Washington State will soon face one of the more stringent breach notification laws enacted to date.

Among other revisions to Washington State’s current breach notification law—Rev. Code Wash. § 19.255.010—Washington might soon become just the fifth state to require that a breached entity provide notice of the data compromise to affected individuals within an explicitly defined timeframe.  Most states’ breach notification laws (including those currently in effect in Washington) require individual notification “in the most expedient time possible and without unreasonable delay” following a data breach in which Protected Personal Information is potentially compromised.  Only Florida, Ohio, Vermont, and Wisconsin impose more onerous obligations on a breached entity, explicating that timely notification must be provided within 45 days of discovery of the breach (30 days under Florida’s laws).  If House Bill 1078 becomes law, Washington will join the minority ranks in effectively defining unreasonable delay to mean that 45 days have passed since the breach was discovered.

In that same vein, House Bill 1078 would impose a new obligation upon breached entities providing statutory notification to Washington residents, requiring them to also inform the Washington Attorney General of the incident—also within 45 days—where more than five hundred Washington residents are affected.  Additionally, new provisions provide explicit authority to the Attorney General to use consumer protection laws to bring an enforcement action against a breached entity for non-compliance, both as a state-sponsored action as well as “parens patriae” on behalf of affected individuals.

Washington’s data breach law would also be revised to (i) encompass breaches involving hard-copy records as well as breaches of “computerized data,” (ii) lower the risk of harm threshold to account for broader risk of harm not necessarily involving “criminal activity,” and (iii) specify incident details that must be communicated to affected individuals receiving statutory notice.

For more information on the Bill’s history and progression towards becoming law, visit the Washington State Legislature’s HB 1078 Bill Info Page.