On May 7, 2019, Washington Governor Jay Inslee signed a bill (HB 1071) amending Washington’s data breach notification law in several important ways:
- Expanded Definition of Personal Information. HB 1071 expands the definition of “personal information” to include date of birth, health or health insurance information, and biometric data (in combination with an individual’s name). Also included in the expanded definition is an individual’s username or email address in combination with a password or security questions and answers that would permit access to an online account.
- Method of Notification for Breach Involving Username or Password. HB 1071 allows entities to provide notice to affected individuals electronically or by email if the breach involves a username or password. The notice must direct the individual to promptly change the affected password and/or security question or answer, or take other appropriate steps to protect (a) the individual’s account with the entity and (b) all other online accounts for which the individual uses the same information.
- Additional Notification Content Requirements. HB 1071 requires notifications to include, among other things, a time frame of the exposure of personal information, if known, including the date of the breach and the date of discovery of the breach. Notice to the Attorney General must also include a list of the types of information affected by the breach, a summary of steps taken to contain the breach, and a sample copy of the notice to affected individuals.
- Timing of Notification. HB 1071 shortens the timing requirement for all mandated notifications from 45 days to 30 days.
HB 1071 takes effect March 1, 2020.