In the State of Washington, Substitute House Bill (‘HB’) 1071 for an Act relating to a breach of security systems protecting personal information (‘the Breach Bill’) entered into effect on 1 March 2020. Additionally, HB 158 for Data Privacy Amendments (‘the Amendments Bill’) was submitted, on 28 February 2020, to the Utah House of Representatives for its second reading, following a favourable recommendation by the Utah House Judiciary Committee, and is now being considered in the Utah State Senate.

Washington: The strengthening of breach notification requirements

One of the elements of the Breach Bill is that it reduces the number of days for the deadline to notify consumers of a data breach from 45 days to 30 days. Moreover, the Breach Bill requires that a person or business that provides notice of a single breach to more than 500 Washington residents, must also notify the Washington State Attorney General of the breach.

The Breach Bill also provides an expansion of the definition of personal information to include, among others:

social security number;

driver’s license number or Washington identification card number;

health insurance policy numbers or health insurance identification numbers;

any information about a consumer’s medical history, mental or physical condition, or about a health care professional’s medical diagnosis or treatment of the consumer; or

biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.

Following this amendment the compliance requirements have been expanded for companies that are operating in the State of Washington that need to be kept in mind in the event of a breach.

Utah: A defence for data breaches

The Amendments Bill would create, among other things, affirmative defences to causes of action arising out of a data breach involving personal information, restricted information, or both, and would provide that an entity may not claim an affirmative defence if the entity had notice of a threat or hazard. In addition, the Amendments Bill introduces the requirements for asserting an affirmative defence and clarifies that the creation of such a defence does not create a cause of action for failure to comply with the requirements for asserting the affirmative defence.

The Amendment Bill further provides information on the components of a cybersecurity programme eligible for an affirmative defence, noting that a covered entity’s written cybersecurity programme reasonably conforms to an industry recognised cybersecurity framework if the written cybersecurity programme:

is designed to protect the type of personal information and restricted information obtained in the data breach;

conforms to the current version of various cybersecurity standards and frameworks;

for personal information or restricted information obtained in the data breach that is regulated by the federal government or state government, reasonably complies with the requirements of regulations such as the security requirements of the Health Insurance Portability and Accountability Act of 1996, or Title V of the Gramm-Leach-Bliley Act of 1999, among others.

