Background:

State Security Breach Laws (Chapter 19.255 RCW and Chapter 42.56 RCW).

In 2005 the Legislature enacted parallel security breach laws. Under RCW 19.255.010 the law applies to any person or business. Under RCW 42.56.590, the law applies to all state and local agencies (agency).

These laws require any person or business/agency to notify possibly affected persons when security is breached and unencrypted personal information is (or is reasonably believed to have been) acquired by an unauthorized person. A person or business is not required to disclose a technical breach that does not seem reasonably likely to subject customers to a risk of criminal activity.

Definitions.

"Personal information" is defined as an individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted:

social security number;
driver's license number or Washington identification card number; or
account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Non-computerized or encrypted data are exempt.

Notification Requirements.

The notice required must be either written, electronic, or substitute notice. If it is electronic, the notice provided must be consistent with federal law provisions regarding electronic records, including consent, record retention, and types of disclosures. Substitute notice is only allowed if the cost of providing direct notice exceeds $250,000, the number of persons to be notified exceeds 500,000, or there is insufficient contact information to reach the customer. Substitute notice consists of all of the following:

electronic mail (e-mail) notice when the person or business has an e-mail address for the subject persons;
conspicuous posting of the notice on the website page of the person or business, if the person or business maintains one; and
notification to major statewide media.

There are no specific requirements for the content of the notification.

Disclosure of a breach must be made in the most expedient time possible and without reasonable delay. Delayed disclosure is allowed if disclosure would impede a criminal investigation.

Enforcement.

Any customer injured by a violation of the security breach statutes may institute a civil action to recover damages.

Consumer Protection Act.

The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce. The CPA may be enforced by private legal action or through a civil action by the Office of the Attorney General. Any person injured by a violation of the CPA may seek actual damages, costs, and attorney's fees. The court may triple the amount of damages awarded but not to exceed $25,000.

Federal Health Insurance and Accountability Act.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes nationwide standards for the use, disclosure, storage, and transfer of protected health information. Entities covered by HIPAA must have a patient's authorization to use or disclose health care information, unless there is a specified exception. An entity covered under HIPAA must comply with the Health Technology for Economic and Clinical Health Act (HITECH) notification for requirements in cases of a data breach. Under HITECH, entities that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information must, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

Gramm-Leach Bliley Act.

The Gramm-Leach Bliley Act (GLBA) requires financial institutions to give their customers privacy notices that explain the financial institution's information collection and sharing practices. Under the GLBA, a financial institution follows the requirements of the Interagency Guidelines, which establish information security standards in cases of data breach. The Interagency Guidelines state that when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay.

–––––––––––––––––––––––––––––––––

Summary of Substitute Bill:

Amendments to the current law in this bill apply identically to RCW 19.255.010 and RCW 42.56.590, with the exception of the GLBA exemption.

Definitions.

Protected personal information is no longer limited to computerized and unencrypted data. The term customer is replaced with consumer throughout the statutes. "Secured" means encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable..

Notification Requirements.

Notice is not required if the breach is not reasonably likely to subject consumers to a risk of harm.

If notice is required, there are added requirements for what must be contained in the notice. Notice must meet the following minimum requirements:

is written and in plain language;
includes the name and contact information of the reporting person or business/agency;
lists the type of personal information breached; and
includes toll-free telephone numbers to major credit reporting agencies if the breach exposed personal information.

If a breach results in notification to more than 500 Washington residents, the following added notification requirements apply:

submission of an electronic version of the notification to the Attorney General and;
providing the number of consumers affected (or estimate if unknown).

Notification of a breach of personal information to affected consumers in the most expedient time possible and without delay is further defined as, "no more than 45 days after the breach was discovered. "

Enforcement.

A violation of this law is also a violation of the CPA. Only the Office of the Attorney General can bring an action under the CPA. An individual maintains the ability to institute a civil right of action to recover damages.

Exemptions.

Persons, businesses, and agencies covered under the Federal HIPAA and are in compliance with HIPAA notifications requirements are exempt from notification requirements. Persons and businesses in compliance with notification requirements under the GLBA are also exempt from notification requirements. If more than 500 residents are affected by the breach, then persons, businesses, and agencies that qualify for a HIPAA exemption and persons and businesses that qualify for the GLBA exemption, must report the breach to the Office of the Attorney General.

Substitute Bill Compared to Original Bill:

The substitute bill:

changes the standard for when notification of a data breach is not required, from when there is no risk of criminal activity to when there is no risk of harm;
adds that a breach of secured personal information must be disclosed if the information acquired was not secure during the breach or if a confidential process, encryption key, or other means to decipher secured information was acquired by an unauthorized person;
defines "secured" as encrypted in a manner that meets the NIST standard or otherwise modified to render the information unreadable, unusable, or undecipherable;
requires persons and businesses to report a data breach to the Office of the Attorney General, even if covered and in compliance with HIPAA notice requirements, when more than 500 Washington residents are affected by the breach;
exempts notification for persons and businesses in compliance with the GLBA;
requires persons and businesses to report a data breach to the Office of the Attorney General, even if covered and in compliance with the GLBA notice requirements, when more than 500 Washington residents are affected by the breach
eliminates a private right of action under the Consumer Protection Act, as it applies to persons and businesses; and
changes the requirement that disclosure of a data breach be made no later than 30 days after the breach was discovered to no more than 45 days after the breach was discovered.

Staff Summary of Public Testimony:

(In support) This legislation is aimed at protecting consumers. Notice to consumers is one of the greatest things that can be given to consumers to protect against identity theft. Consumers do not always receive the kind of information they need to take necessary actions. The bill requires notice even when non-computerized data is acquired. There is no reason to treat a consumer's information differently if it is computerized and if the information is taken by an unauthorized person. The bill does not require notice to the Attorney General's Office, which makes it very difficult to track breaches and to know what breaches to be aware of. There is a substitute bill being drafted. Unlike the current law, the substitute bill does not assume that all encryption is up-to-date. That substitute bill presumes that if the encryption is up to the current encryption standard then there is no risk of criminal activity. The idea is to encourage businesses to use strong and up- to date encryption methods. Thirty days versus a 90-day notice makes sense because if you wait until 90 days, then the consumers have not been aware of the breach during that period of time and could not have taken appropriate measures to help themselves. The earlier notice gives consumers the tools to protect themselves and take self-help steps. The bill also requires that other information be provided when notice of a breach is given, including the kind of information that is breached and credit card contact information, so consumers can take certain step to help themselves. The bill maintains the private right of action and includes a presumed damages provision because consumers may be able to demonstrate that they have been injured by the breach, but cannot show the dollar amount. It is a per se violation under the CPA against the business or person that did not provide the notice, but does not allow a private party to bring an action under the CPA.

(With Concerns) The encryption exception should remain in the law. Technologies that are not necessarily encrypted, but that would provide the same protections should also be included in the bill. There is an exception for persons, businesses and agencies in compliance with HIPPA notification requirements and there should also be an exemption for persons and businesses under the GLBA. There should be a GLBA exemption because when there is a data breach, significant costs are already incurred by a person or business and there is already significant regulation under the GLBA. It would be burdensome to persons and businesses to also have to comply with a similar state law. Additional litigation against banks could result because of the minimum damages allowed in the bill. Over notification is also a concern. When a breach occurs, there needs to be sufficient time to investigate the breach, decide who needs to be notified, but also want to be sure not to notify too much, so that a notification is not ignored in the future. Thirty days is an appropriate time frame. Also, over notification could be a concern if notice is required for encrypted and unencrypted information.

(Opposed) Removing the encryption standard could subject individual businesses to litigation because the encryption they have may be challenged as insufficient in the future. Losing a clear bright line is problematic in regards to encryption. The same rules should apply both in the public and private sector.