It was looking like Washington state would be the first state to follow the California Consumer Privacy Act (CCPA), with a GDPR-like law of its own. That effort has stalled, perhaps temporarily. However, both Washington’s House and Senate voted unanimously to send HB 1071 to Gov. Jay Inslee, which would substantially expand the state’s current data breach notification obligations.
Here are some of the highlights:
Definition of personal information. Following many other states, the new law would add to the data elements that if breached could trigger a notification obligation. Currently, personal information includes an individual’s first initial or first name and last name, together with one or more of the following – (i) Social Security number, (ii) Driver’s license number or Washington identification card number; or (iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
The following elements would be added to the list:
- Full date of birth;
- Private key unique to an individual and that is used to authenticate or sign an electronic record;
- Student, military, or passport identification number;
- Health insurance policy number or health insurance identification number;
- Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
- Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual;
- Username or email address in combination with a password or security questions and answers that would permit access to an online account.
In addition, these elements (other than online account credentials) could be considered personal information even without the consumer’s first name or first initial and last name. That would be the case if encryption, redaction, or other methods have not be applied to render the element(s) unusable and the element(s) would enable a person to commit identity theft against a consumer.
Special Rule for Online Accounts. To combat the practice of many who use the same username and password for different accounts (note to reader, if this is you, stop reading this post and go change your account credentials), the new law would require notifications to provide some direction on this point. Specifically, when a breach involves a username or password, notice may be provided electronically or by email, and must inform affected persons to promptly change his or her password and security question or answer, as applicable. The notice should inform affected persons to take other appropriate steps to protect the online account and all other online accounts for which the affected person uses the same username or email address and password or security question or answer.
The new law goes a step further when the person or business providing the notice also furnished the email account to the affected person. In that case, notification must be provided using a permissible method other than email to that account, and must also include the information noted above for changing passwords for at risk accounts.
Notice Timing and Content. Like other state breach notification laws, Washington’s law requires notification be provided in the most expedient time possible and without unreasonable delay. Current law provides, however, that notice may not be provided later than forty-five calendar days following discovery. The new law reduces that period to thirty calendar days both for notice to individuals as well as to the Attorney General.
Importantly, the new law retains the exceptions to the notification period – notice may be delayed at the request of law enforcement or if due to measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. It is not clear if these exceptions also apply for notifying the Attorney General.
When notification is required, the new law adds to existing content requirements by mandating that notifications include, if known, the time frame of exposure – the date of the breach and the date of the discovery of the breach. Additional information also must be provided under the new law to the Attorney General, but under existing law that notice is required only if more than 500 persons are affected by the breach.
If enacted, the law changes in HB 1071 provide good examples of the need for organizations to continue to monitor these developments and revisit their incident response plans (IRPs). For example, some organizations may get caught off guard by the expanding definition of personal information under these laws. Date of birth typically is not included as an element of personal information in most other states (North Dakota is one exception). Having out of date template letters also can minimize the effectiveness of the organizations IRP.