In the last year, businesses and agencies sent a record 6.3 million data breach notices to Washingtonians.

Attorney General 2021 Data Breach Report for Washington

Attorney General Bob Ferguson’s sixth annual Data Breach Report, released in November 2021, showed multiple new records made.

“We publish this report because Washingtonians are best able to safeguard their data when they are aware of the threats — and the threats have never been greater.” Bob Ferguson, Washington State Attorney General

2021 set a new record for the highest number of data breach notices, 6.3 million, sent to Washingtonians. This is an 80% increase on the previous record of 3.5 million in 2018 and a 500% increase over 2020.

Businesses reported 280 data breaches, also a new record. A 260% increase over the previous record of 78 in 2017 and 5 times 2020's total of 60 breaches.

Cyberattacks caused 87.5% of all reported data breaches in 2021 compared to 63% in 2020 with a total of 245 cyberattacks reported in 2021.

More than half, 61%, 150 of 245 cyberattacks reported in 2021, involved ransomware. 150 notices of ransomware is more than the last 5 years combined.

The Attorney General’s Office recorded the first “mega breach” since 2018. A mega breach is a breach that affects 1 million people or more. The cyberattack targeted Accellion, a company that provides file-sharing technology. This resulted in the exposure of files from the Washington State Auditor’s Office that contained the personal information of about 1.3 million Washingtonians. This is the third reported mega breach since 2016.

2021 saw a 496% increase from 2020 in the number of Washingtonians affected by a data breach. 6,385,000 Washingtonians compared to 1,072,000 Washingtonians in 2020.

Source: Washington State Office of the Attorney General

List of Data Breach Notifications in Washington since 2015

A list of all data breach notices sent to the Attorney General’s Office since 2015 is available for review at Data Breach Notifications. 

Data Breach Notification Laws

Data breach protections give Washington one of the most robust data breach notification policies in the country.

Effective March 1, 2020, amendments to the Washington State data breach notification extended the definition of personal information, shortened the deadlines for notification, and imposed additional requirements for notice contents.

In 2015, the Legislature passed legislation to update Washington’s data breach notification statute. Washington’s law requires businesses and governments to notify the Attorney General’s Office after experiencing breaches affecting the personal information of at least 500 Washingtonians.

The new law reduced the deadline to notify consumers and the Attorney General’s Office of a data breach from 45 to 30 days and expanded the definition of “personal information”. If a security breach affects more than 500 Washington residents, an electronic notification must also be provided to the Attorney General's Office at SecurityBreach@atg.wa.gov. Information for businesses on reporting data breaches can be found here.

Personal Information (PI)

Personal information (PI) includes an individual’s first name or first initial and last name in combination with any of the following:

• Social Security number;

• Drivers license number or Washington identification card number;

• Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to their account;

• Student, military, or passport identification numbers;

• Health insurance policy or identification numbers;

• Full date of birth;

• Private keys for electronic signature;

• Medical information, including medical history, mental or physical condition, diagnoses, or treatment;

• Biometric data including fingerprints, voiceprints, eye retina, iris scans, or other unique characteristics are used to identify a specific individual.

The 2021 report makes recommendations to policymakers on enhancing the protection of personal data, including expanding the definition of personal information to include Individual Tax Identification Numbers as well as the last four digits of a Social Security number.

Security Breach FAQ’s:

• Notifying Consumers: Security Breach FAQ for Businesses (PDF)
• Notifying Residents: Security Breach FAQ for Public Agencies (PDF)
• For Consumers: When Information is Lost or Exposed (FTC link)

Data Security Breach Notification Laws by State

Businesses must invest in security and be ready to respond if a breach occurs. Part of your preparedness program should be staying current on data breach legislation at the state level. Mintz is a useful online resource to review Data Breach Notification Laws by state.

Additional Data Breach Resources:

• Data Breach Response: A Guide for Business (FTC Link)
• Data Breach Response: A Guide for Business (PDF)

Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

• Tri-Cities, Washington 509.396.6640
• Yakima, Washington 509.396.6640
• Bend, Oregon 541.848.6072

Questions about your IT or Cybersecurity? Give us a call today!