Washington State Governor Jay Inslee signed legislation making Washington among the five US states with the most rigorous data breach notification laws enacted to date. Washington joins Florida, Ohio, Vermont, and Wisconsin in imposing strict and specific obligations on any business that has suffered a data breach. The new law was effective immediately.
The new law applies to all entities that conduct business in Washington. The law amends Washington’s previous breach notification law (Rev. Code Wash. §19.255.010) in significant ways including the following:
-
breached entities must notify affected consumers within 45 days (ie, in place of the current requirement of an “expedient time… without unreasonable delay”);
-
breached entities must now inform the Washington Attorney General of the data breach incident within 45 days if the data breach affects more than 500 Washington residents;
-
the Washington Attorney General is authorized to bring an enforcement action against a breached entity for non-compliance both directly on behalf of the State of Washington, and as representative of affected individuals.
-
limited exceptions to the 45 day notice requirement are available to provide law enforcement the opportunity to analyze the potential impact on criminal investigations or “due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system”;
-
breaches involving any type of data (ie, paper documents in addition to “computerized data”) will be covered;
-
breaches of encrypted data will also be covered in the event that unauthorized persons acquired “other means to decipher the secured information”; and
-
the breach incident notice must be written “in plain language” and to include specific details of the breach.
In practice, this law reemphasizes the importance of collaboration between legal, risk management, and technology departments. In addition to Washington’s new law, data breach lawsuits have been filed under theories as wide-ranging as breach of contract, ERISA fiduciary duty, and failure to secure health information of employees. Companies of all sizes are encouraged to work with counsel to reduce cyber risk.