New Data Breach Law in the State of Washington

Washington’s H.B. 1071 is a security breach notification law that was recently passed in the U.S. state of Washington in 2020. Washington’s H.B. 1071 was passed for the purpose of amending previous data breach notification legislation within the state, by taking into account the new forms of personal information that may be compromised during a data breach such as biometrics, as well as electronic records. With this being said, Washington’s H.B. 1071, in conjunction with legislation such as Washington’s Revised Code Ann. 19.375.020, provides residents of the state of Washington with legal protections as it concerns data protection and privacy.

What are the data breach notification requirements under Washington’s H.B. 1071?

Under Washington’s H.B. 1071, business entities within the state of Washington are required to provide residents within the state with the following information in the event that a security breach occurs:

• A general description of the security breach, in general terms.
• The name and contact information for the entity that is reporting the security breach.
• The categories of personal information that were compromised or were believed to have been compromised as a result of the breach.
• The toll-free numbers of all three credit reporting agencies within the U.S., Equifax, Experian, and TransUnion, if the security breach leads to the unauthorized disclosure of personal information.

What’s more, the law also requires business entities to provide notification to the Washington attorney general if a data breach affects more than 500 residents within the state. To this point, these notifications must contain the following information:

• The number of residents within the state that have been affected by the breach, or an estimate if the exact number is unknown.
• The categories of personal information that were compromised or were believed to have been compromised as a result of the breach.
• A general time frame for the breach, including the date on which the breach occurred, if such information is available.
• A summary of the steps that consumers can take to mitigate the effects of the breach.

What categories of personal information are protected under Washington’s H.B. 1071?

Under Washington’s H.B. 1071, the following categories of personal information are protected from disclosure in the event of a security breach, in combination with a Washington state resident’s first name or first initial and last name, in instances where the information has not been encrypted:

• Social security numbers.
• Driver’s license numbers and state identification card numbers.
• Account numbers, credit, and debit card numbers, as well as any other numbers or information such as passcodes and security codes that could be used to permit access to a resident’s financial account.
• A resident’s full date of birth.
• Private keys that are unique to an individual and could be used to authenticate or sign an electronic record.
  Student, passport, and military identification numbers.
• Health insurance identification and policy numbers.
• Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.
• Biometric information or data that is generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.

What are the penalties for violating Washington’s H.B. 1071?

As it pertains to punishments for failure to comply with the law, the provisions set forth in Washington’s H.B. 1071 are enforced by the Washington attorney general. To this end, business entities within Washington state that are found to be in violation of the law are subject to a number of penalties. Most notably, the law allows residents within the state “to institute a civil action to recover damages” in instances where they believe their rights have been violated under the law. Alternatively, violations of Washington’s H.B. 1071 are also considered to be unfair or deceptive acts, as well as an unfair method of competition, in accordance with other applicable legislation within the state. Furthermore, if a security breach results in a Washington state resident taking a financial loss, the financial institution that experienced the breach is legally liable for the said loss under the provisions of the law.

While every state and territory within the U.S. has passed some form of legislation regarding security breach incidents, many of these laws were passed before the prevalence of online communication as we know it today. As such, the provisions of Washington’s H.B. 1071 numerous forms of personal information in the event of a data breach, as the adverse effects that can result from a security breach are very different from the effects that consumers would have experienced ten or fifteen years ago. Moreover, Washington’s H.B. 1071 represents just one facet of a larger legal framework that Washington state has enacted over a number of years, with the goal of protecting the personal information of residents within the state.