Privacy & Information Security Law Blog

On March 4, 2015, the House of Representatives of Washington passed a bill (HB 1078), which would amend the state’s breach notification law to require notification to the state Attorney General in the event of a breach and impose a 45-day timing requirement for notification provided to affected residents and the state regulator. The bill also mandates content requirements for notices to affected residents, including (1) the name and contact information of the reporting business; (2) a list of the types of personal information subject to the breach; and (3) the toll-free telephone numbers and address of the consumer reporting agencies. In addition, while Washington’s breach notification law currently applies only to “computerized” data, the amended law would cover hard-copy data as well.

The bill introduces a safe harbor for personal information that is “secured,” which is defined to mean the data is encrypted in a manner that “meets or exceeds” the National Institute of Standards and Technology (“NIST”) standard or is otherwise “modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.” In addition, notice is not required if the breach is “not reasonably likely to subject consumers to a risk of harm.” The bill adds federal preemption language that would exempt certain covered entities from having to comply with the state breach law. With respect to enforcement, the bill would make an organization’s failure to comply with the state’s breach notification law a violation of the Consumer Protection Act.

The bill, which passed the House of Representatives 97-0, will now face the Washington State Senate. It has broad bipartisan support, and if enacted would strengthen the state’s data breach laws.

The Washington legislation was introduced just over a week after Montana’s governor signed into law HB 74, which amends Montana’s existing data breach notification law to expand the definition of personal information to include medical record information and an “identity protection personal identification number” issued by the IRS. The amended law also requires entities to submit to the state Attorney General’s Consumer Protection Office an electronic copy of the notice to affected individuals, and to indicate the date and method of distribution of the individual notice and the number of residents impacted by the breach. The bill was enacted on February 27, 2015, and will take effect on October 1, 2015.