FINAL BILL REPORT
SHB 1071
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
C 241 L 19
Synopsis as Enacted
Brief Description: Protecting personal information.
Sponsors: House Committee on Innovation, Technology & Economic Development (originally sponsored by Representatives Kloba, Dolan, Tarleton, Slatter, Valdez, Ryu, Appleton, Smith, Stanford and Frame; by request of Attorney General).
House Committee on Innovation, Technology & Economic Development
Senate Committee on Environment, Energy & Technology
Senate Committee on Ways & Means
Background:
Any person, business, or agency that owns or licenses data that includes personal information must provide a data breach notice to Washington resident consumers whose unencrypted personal information is (or is reasonably believed to have been) acquired by an unauthorized person as a result of a data breach.
Any person, business, or agency that maintains, but does not own, data that includes personal information must also notify the owner or licensee of that data of any data breach if the owner's or licensee's personal information is (or is reasonably believed to have been) acquired by an unauthorized person.
Notice is not required if the data breach is not reasonably likely to subject Washington resident consumers to a risk of harm.
Definitions.
"Personal information" is defined as an individual's first name or first initial and last name in combination with one or more of the following data elements:
Social Security number;
driver's license number or Washington identification card number; or
account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Data Breach Notice Requirements.
A data breach notice may be provided by one of the following methods:
written notice;
electronic notice in accordance with federal provisions regarding electronic records and signatures; or
substitute notice consisting of an electronic mail (email) notice, conspicuous website notice, and notification to major statewide media.
A data breach notice must include the following information:
the name and the contact information of the reporting person, business, or agency;
a list of the types of personal information that were, or are reasonably believed to have been, the subject of a data breach; and
the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
Additionally, if a breach requires notice to more than 500 Washington residents, the reporting person, business, or agency must electronically submit to the Attorney General:
a sample data breach notice provided to consumers, excluding any personally identifiable information; and
the number (or an estimate, if the exact number is unknown) of Washington consumers affected by the breach.
Data breach notices must be provided to affected consumers and to the Attorney General no more than 45 days after the breach is discovered.
Delayed notice is allowed if a law enforcement agency determines that the notification would impede a criminal investigation.
Exemptions.
Persons, businesses, and agencies covered under the federal Health Insurance Portability and Accountability Act (HIPAA) and in compliance with the HIPAA notification requirements are exempt from providing consumers with a data breach notice. When more than 500 Washington residents are affected by the breach, the HIPAA-covered entities must provide a data breach notice to the Attorney General in accordance with the HIPPA timeliness requirements. The notice must contain the same information as is required of entities not covered by the HIPPA.
Financial institutions in compliance with information security rules under the federal Gramm-Leach-Bliley Act (GLBA) are also exempt from providing consumers with a data breach notice. When more than 500 Washington residents are affected by the breach, the GLBA-covered entities must provide a data breach notice to the Attorney General in accordance with the same provisions that apply to entities not covered by the GLBA.
Summary:
Definitions.
The definition of "personal information" is modified to mean an individual's first name or first initial and last name in combination with one or more of the following data elements:
Social Security number;
driver's license number or Washington identification card number;
account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
full date of birth;
a private key that is unique to an individual and that is used to authenticate or sign an electronic record;
student, military, or passport identification number;
health insurance policy number or health insurance identification number;
any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or
biometric data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patters or characteristics that may identify a specific individual.
"Personal information" includes any of the above-listed data elements, alone or in combination, without the consumer's first name or first initial and last name, if encryption has not rendered the data elements unusable and if the data elements would enable a person to commit identity theft against a consumer.
"Personal information" also includes username and email address in combination with a password or security questions and answers that would permit access to an online account.
Data Breach Notice Requirements.
If the breach of the security of the system involves personal information that includes a user name or password, data breach notice may be provided electronically or by email. Such notice must inform the person whose personal information has been breached to take certain steps to protect the person's online account. However, when the breach of the security of the system involves login credentials of an email account furnished by a person or business, notification by email to that account is not permitted.
Data breach notice must be provided to affected consumers no more than 30 days after the breach was discovered and must additionally include a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach. An agency may delay notification to affected consumers for up to an additional 14 days to allow for notification to be translated into the primary language of the affected consumers.
Data breach notice must be provided to the Attorney General no more than 30 days after the breach was discovered and must include the following additional information:
a list of the types of personal information that were, or are reasonably believed to have been, the subject of the breach;
a timeframe of exposure, if known, including the date of the breach and the date of the discovery of the breach; and
a summary of the steps taken to contain the breach.
If any of the required information is unknown at the time notice is due, the reporting entity must update its notice to the Attorney General.
Votes on Final Passage:
House | 94 | 0 | |
Senate | 46 | 0 | (Senate amended) |
House | 96 | 0 | (House concurred) |
Effective: | March 1, 2020 |