It was looking like Washington state would be the first state to follow the California Consumer Privacy Act (CCPA), with a GDPR-like law of its own. That effort has stalled, perhaps temporarily. However, both Washington’s House and Senate voted unanimously to send HB 1071 to Gov. Jay Inslee, which would substantially expand the state’s current data breach notification obligations.

Here are some of the highlights:

Definition of personal information. Following many other states, the new law would add to the data elements that if breached could trigger a notification obligation. Currently, personal information includes an individual’s first initial or first name and last name, together with one or more of the following – (i) Social Security number, (ii) Driver’s license number or Washington identification card number; or (iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The following elements would be added to the list:

  • Full date of birth;
  • Private key unique to an individual and that is used to authenticate or sign an electronic record;
  • Student, military, or passport identification number;
  • Health insurance policy number or health insurance identification number;
  • Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
  • Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual;
  • Username or email address in combination with a password or security questions and answers that would permit access to an online account.

In addition, these elements (other than online account credentials) could be considered personal information even without the consumer’s first name or first initial and last name. That would be the case if encryption, redaction, or other methods have not be applied to render the element(s) unusable and the element(s) would enable a person to commit identity theft against a consumer.

Special Rule for Online Accounts. To combat the practice of many who use the same username and password for different accounts (note to reader, if this is you, stop reading this post and go change your account credentials), the new law would require notifications to provide some direction on this point. Specifically, when a breach involves a username or password, notice may be provided electronically or by email, and must inform affected persons to promptly change his or her password and security question or answer, as applicable. The notice should inform affected persons to take other appropriate steps to protect the online account and all other online accounts for which the affected person uses the same username or email address and password or security question or answer.

The new law goes a step further when the person or business providing the notice also furnished the email account to the affected person. In that case, notification must be provided using a permissible method other than email to that account, and must also include the information noted above for changing passwords for at risk accounts.

Notice Timing and Content. Like other state breach notification laws, Washington’s law requires notification be provided in the most expedient time possible and without unreasonable delay. Current law provides, however, that notice may not be provided later than forty-five calendar days following discovery. The new law reduces that period to thirty calendar days both for notice to individuals as well as to the Attorney General.

Importantly, the new law retains the exceptions to the notification period – notice may be delayed at the request of law enforcement or if due to measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. It is not clear if these exceptions also apply for notifying the Attorney General.

When notification is required, the new law adds to existing content requirements by mandating that notifications include, if known, the time frame of exposure – the date of the breach and the date of the discovery of the breach. Additional information also must be provided under the new law to the Attorney General, but under existing law that notice is required only if more than 500 persons are affected by the breach.

If enacted, the law changes in HB 1071 provide good examples of the need for organizations to continue to monitor these developments and revisit their incident response plans (IRPs). For example, some organizations may get caught off guard by the expanding definition of personal information under these laws. Date of birth typically is not included as an element of personal information in most other states (North Dakota is one exception). Having out of date template letters also can minimize the effectiveness of the organizations IRP.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.