Earlier this year, Washington passed an amended version of its data breach notification law, which goes into effect Friday July 24, 2015. Washington’s updated breach notification statute will now, among other things, require compromised entities to notify the state Attorney General (AG) in some circumstances, and require notification to both consumers and, as applicable, the state AG within 45 days of discovering a breach. Washington’s amended statute adds to the chorus of states that have updated their breach notification laws in 2015, including Connecticut, Montana, Nevada, North Dakota, Oregon, Rhode Island, and Wyoming.
Under the new statute, the AG must be notified if more than 500 Washington residents are notified of a single breach. To comply with the regulator notice requirements, compromised entities must inform the AG of the number of affected Washington residents and electronically submit a sample copy of the consumer notification. While the updated law now exempts some financial institutions and HIPAA covered entities from notifying affected consumers, those entities must still notify the AG to comply with the statute.
The amendments bolster the law in two key respects by expanding the type of data covered by the statute and adding specific consumer notification content requirements. The previous statute applied only to “computerized” data, and therefore reasonably only applied to electronic files. The updated statute removes the word “computerized” throughout, thereby expanding the type of covered information to include paper and other non-electronic documents. In terms of new content requirements, all notifications sent to Washington residents must now include the following: (1) name and contact information of the business subject to the section, (2) a list of the types of personal information that were or are reasonably believed to have been the subject of a breach and (3) the toll-free numbers and addresses of the major credit reporting agencies.