The Washington legislature made a unanimous decision to pass HB 1071 / SB 5064, a new data breach notification law. The only the bill needs is the signature of Washington Governor Jay Inslee. The law stretches how personal information is defined and requires the issuance of breach notifications in 30 days. At this time, the Washington data breach notification laws demand notifications to be issued only in the event where a breach involves a state resident’s name combined with a state ID, driver’s license number, Social Security number or credit/debit card number.
The new breach notification law states that it is required to issue notifications if a breach involves these data elements:
- Military ID numbers
- Student ID numbers
- Passport ID numbers
- Biometric information
- Health insurance ID numbers
- Complete date of birth
- Medical histories
- Usernames and email addresses coupled with a password or answers to security questions
- Electronic signature keys
Other than credentials of online account, the data elements mentioned above may be categorized as personal information even if they aren’t combined with an individual’s first and last name.
Entities must issue notifications in case one or more of the above listed data elements are compromised, which means they were not encrypted, and in case of a breach of information, a person could be at risk of hurt.
The issuance of notifications time frame was adjusted from 45 to 30 days after a breach is discovered. Then again, notifications should be issued as soon as possible and without unreasonable delay. Entities should also notify the state Attorney General within this time frame.
Just like in California’s new data breach notification law, the data that entities must include in breach notification letters are specified. The letters ought to state the date when the breach took place, the date of discovery, time frame (if known), and the types of data compromised or exposed. The notification sent to the Attorney General should also include the number of state residents affected (or an estimated number in case of unknown actual number) and the mitigation steps to control the breach.
Healthcare entities covered by the Health Insurance Portability and Accountability Act (HIPAA) will be deemed compliant with the new notification law if they’ve been found compliant with section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.