Effective March 1, 2020, Washington State House Bill 1071 amends the state’s data breach notification law, expanding the categories of consumer information the unauthorized access of which would trigger notification requirements. Under current law, any person or business conducts business in Washington State and that owns or licenses data that includes personal information to provide notice to potentially affected consumers and to the state Attorney General no more than 45 calendar days after a data breach that may have resulted in authorized access of consumers’ personal information; as amended, the law will reduce the timeline for notification to 30 days.
In addition to making non-substantive changes (e.g., recodifying definition and exemption provisions), the measure also:
- Adds notification procedures for a data breach involving a consumer’s username or password (which vary according to whether the breach involves login credentials for an email account furnished by the person or business providing the notification);
- Requires the notification to affected consumers to include “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; and
- If a breach affected more than 500 Washington consumers, requires the notification to the Attorney General to provide: (i) a list of the types of personal information that were, or are reasonably believed to have ben, the subject of a breach; (ii) “[a] time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach”; (iii) a summary of steps taken to contain the breach; and (iv) a sample copy of a notification (which must exclude any personally identifiable information).
