Can Your Business Comply with the Amended Washington Data Breach Law?

May 19, 2015

New reporting requirements will require some planning.

In the ever-expanding list of compliance rules, businesses now have a new requirement in the event that a data breach exposes consumer information in Washington. It’s important that businesses set up a process that identifies an individual responsible for sending and tracking notifications under the new rules. Fines of up to $25,000 can add up quickly when the information of several individuals is exposed.

Amended Data Breach Law in Washington

When the Washington legislature passed H.B. 1078, it set a 45-day notification deadline and added other notice requirements to its data breach laws. Governor Jay Inslee signed the bill into law on April 23, putting greater compliance requirements on businesses that suffer unauthorized access to the personal information (PI) it holds. In addition, the new bill:

  • Expands data breach definitions to include hard copy data, not just electronic information
  • Requires businesses to notify the Washington Attorney General (AG) if more than 500 Washington residents need to be notified of a breach
  • Gives Washington AG power to enforce the statute under Washington’s consumer protection act, which can result in fees or treble damages up to $25,000.
  • Specifies the information to be included in a consumer notification, to include the business name and contact information, a list of the types of PI exposed and contact information for consumer reporting agencies
  • Alters safe harbor language to protect businesses that encrypt information at or above the standards set by the National Institute of Standards and Technology (NIST), rather than simply identifying such information as “encrypted.” The safe harbor is subject to an assessment of potential harm.
  • Exempts entities covered under HIPAA and the Graham-Leach-Bliley Act, so long as they notify the AG.

Businesses have some time to prepare their process for managing the new reporting procedures. The law doesn’t take effect until July 24, 2015. Federal legislation is pending on the same issue. As it stands, federal laws only protect Personal Health Information (PHI) and PI in relation to banking. A bill introduced by Sens. Tom Carper of Delaware and Roy Blunt of Missouri, the Data Security Act that, is expected to broaden consumer protections to all types of PI, but will likely have less stringent standards, creating a minimum notification requirement that states would be free to alter by local legislation. For this reason, its unlikely businesses need to worry that Federal legislation will enforce even stricter standards.

Managing the New Notification Law

To deal with these new requirements, consider a process where your security team notifies a designated individual and a manager. The person responsible for creating and mailing consumer notices, as well as tracking the number of consumers affected, should be overseen by a manager. Having a second set of eyes will ensure notices include all required information and that the AG is notified when required.

We are experienced in helping businesses remain compliant with changing laws. Whether human resources, regulatory compliance  or other areas of law, we can help you ensure your business remains compliant, avoiding fines and  other potential liability. Call the office at 253.302.5955, or use the online contact form to arrange for a consultation to discuss your business’s legal needs