The Washington State Attorney General (‘AG’), Bob Ferguson, announced, on 22 April 2019, that the Washington State House of Representatives had unanimously passed a bill to strengthen data breach notification laws (HB 1071) (‘the Bill’), following the Washington State Senate’s approval of the Bill, on 15 April 2019. In particular, the Bill would expand consumer data breach notification requirements to include additional types of consumer information. It would require businesses to notify consumers where their name is accessed alongside information including full birth dates, biometric data such as DNA profiles or fingerprints, medical history, student, military, health insurance and passport identification numbers, usernames and passwords, and electronic signatures. Currently, a business is only required to notify consumers if their name is accessed alongside social security numbers, driver’s licence numbers, state identification numbers, or financial account information.
In addition, the Bill would reduce the deadlines to notify consumers and the AG of a breach from 45 days to 30 days following the discovery of the breach, and would retain the exceptions to the consumer notification deadline outlined in the current law, namely, where a delay is at the request of law enforcement, or is due to measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Furthermore, the Bill adds notification content requirements. It provides that consumers must now be notified of the time frame of the exposure, if known, including the date of the breach and the date of the discovery of the breach. Notification to the AG, which is currently required if more than 500 Washington residents are affected by a breach, must now include, among other things, a list of the types of personal information that was or is reasonably believed to have been the subject of a breach, a summary of steps taken to contain the breach, and a sample copy of the security breach notification, excluding any personally identifiable information.
The Bill also contains specific provisions on breaches of usernames and passwords. It states that where a breach of such information occurs, notification must inform the consumer to promptly change their password and security question or answer, or take other appropriate steps to protect the relevant affected online account and all other online accounts for which the consumer uses the same username, email address and password, or security question and answer. Additionally, the Bill requires that where the breach involves the login credentials of an email account furnished by the business, the business may not provide the notification to that email address, but must provide notice of the breach using an alternative method, such as by post, or notification to major statewide media.
The AG highlighted that his office had seen a significant annual increase in the number of Washington residents impacted by data breaches, and argued that the Bill would arm consumers with the information necessary to protect their sensitive data. He also drew attention to the views of Representative Shelley Kloba, who sponsored the Bill. Kloba stated that companies that collect and store data will need to pay more attention to safeguarding it against internal and external threats.
The Bill has been sent to the Washington State Governor, Jay Inslee, and, if signed into law, would take effect on 1 March 2020.
RUMER RAMSEY Privacy Analyst