Expanded data security breach laws taking effect in Washington

by Joelle Hong and Amelia Morrow Gerlicher

Washington’s expanded data security breach notification laws are set to take effect July 24, meaning employers must make sure they have safe and effective privacy practices in place and are ready to respond in the event of a security breach.

Under the old law, businesses that own or license computerized data containing personal information about Washington residents must disclose any breach involving unencrypted personal information. But beginning July 24, the requirement will expand to include both computerized and hard copy data containing personal information that is not “secured” as well as encrypted information if the person who gains unauthorized access to the data has access to the encryption key or an alternative means of deciphering the data.

“Secured” means data were encrypted in a manner that meets or exceeds the National Institute of Standards and Technology’s standard or is otherwise modified so that personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.

Under the new laws, businesses must notify affected consumers (and the state attorney general if a breach affects more than 500 Washington residents) in the most expedient time possible without unreasonable delay and within 45 days of discovering the breach. The notice to the attorney general must include a copy of the notice sent to consumers as well as the estimated number of residents affected by the breach. The legislation grants the attorney general the authority to file suit on behalf of the state or residents, thus adding state action to the existing private claim under the preamendment law.

The legislation requires that consumer notification include the name and contact information of the reporting business, a list of the types of personal information affected, and contact information for the major credit reporting agencies.

Washington’s legislation does not include medical information or health data in its definition of “personal information,” and it deems entities that are covered by the Health Insurance Portability and Accountability Act (HIPAA) compliant with the law if they comply with applicable federal guidelines. However, those entities must still notify the attorney general in the event of a qualifying breach.

Also, financial institutions will be considered compliant with the new laws if they follow applicable federal guidelines, but they must notify the attorney general in addition to their primary federal regulator in the event of a breach.

For more information on the Washington data security breach laws, see the June issue of Washington Employment Law Letter.

Joelle Hong and Amelia Morrow Gerlicher are attorneys with Perkins Coie LLP in Seattle, Washington. Joelle can be reached at Amelia can be reached at