New data breach protections give Washington one of the most robust data breach notification policies in the country.

Data Breach Notification Laws

Effective March 1, 2020, amendments to the Washington State data breach notification extended the definition of personal information, shortened the deadlines for notification, and imposed additional requirements for notice contents.

In 2015, the Legislature passed legislation to update Washington’s data breach notification statute. Washington’s law requires businesses and governments to notify the Attorney General’s Office after experiencing breaches affecting the personal information of at least 500 Washingtonians.

The new law reduced the deadline to notify consumers and the Attorney General’s Office of a data breach from 45 to 30 days and expanded the definition of “personal information”. If a security breach affects more than 500 Washington residents, electronic notification must also be provided to the Attorney General's Office at SecurityBreach@atg.wa.gov.

Personal Information (PI)

Personal information (PI) includes an individual’s first name or first initial and last name in combination with any of the following:

• Social Security number;

• Drivers license number or Washington identification card number;

• Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to their account;

• Student, military, or passport identification numbers;

• Health insurance policy or identification numbers;

• Full date of birth;

• Private keys for electronic signature;

• Medical information, including medical history, mental or physical condition, diagnoses, or treatment;

• Biometric data including fingerprints, voiceprints, eye retina, iris scans, or other unique characteristics are used to identify a specific individual.

  
  

“In 2020, the total number of breaches reported to our office decreased by 15%, and yet the total number of Washingtonians impacted by breaches rose by 67%, with nearly 65% resulting from a malicious cyberattack.”

Bob Ferguson, Washington State Attorney General

Attorney General 2020 Data Breach Report

Attorney General Bob Ferguson’s fifth annual Data Breach Report, released in October 2020, showed that the number of Washingtonians affected by breaches just about doubled in the last year and ransomware attacks tripled.

This 2020 report is based on data breach notifications received by the Attorney General’s Office between July 24, 2019, and July 23, 2020, that affected more than 500 Washingtonians’ personal information.

Source: Washington State Office of the Attorney General

List of Data Breach Notifications in Washington since 2015

Data security breach notifications sent to the Attorney General’s Office are available for review at Data Breach Notifications. 

Security Breach FAQ’s:

• Notifying Consumers: Security Breach FAQ for Businesses (PDF)
• Notifying Residents: Security Breach FAQ for Public Agencies (PDF)
• For Consumers: When Information is Lost or Exposed (FTC link)

Data Security Breach Notification Laws by State

Businesses must invest in security and be ready to respond if a breach occurs. Part of your preparedness program should be staying current on data breach legislation at the state level. Mintz is a useful online resource to review Data Breach Notification Laws by state.

Image Courtesy of Mintz

Additional Data Breach Resources:

• Data Breach Response: A Guide for Business (FTC Link)
• Data Breach Response: A Guide for Business (PDF)

Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

• Tri-Cities, Washington 509.396.6640
• Yakima, Washington 509.396.6640
• Bend, Oregon 541.848.6072

Questions about your IT or Cybersecurity? Give us a call today!