SENATE BILL REPORT

SB 5064

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As of January 28, 2019

Title: An act relating to breach of security systems protecting personal information.

Brief Description: Protecting personal information.

Sponsors: Senators Nguyen, Darneille, Hasegawa, Wellman, Keiser, Zeiger, Kuderer and Saldaña; by request of Attorney General.

Brief History:

Committee Activity: Environment, Energy & Technology: 1/22/19.

Brief Summary of Bill

  • Expands definition of personal information.

  • Requires the attorney general to be notified no more than 14 days after the discovery of a data breach.

  • Requires consumers to be notified no more than 30 days, with certain exceptions, after the discovery of a data breach.

  • Amends consumer and attorney general notification requirements.

SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY

Staff: Angela Kleis (786-7469)

Background: State Security Breach Laws. Under current law, any person or business that conducts business in Washington and all agencies that own, license, or maintain personal information must meet specified requirements regarding the disclosure of any breach of the security system. Certain federally regulated data sets are exempt from disclosure.

Definition of Personal Information. Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notification Requirements. The breach notification issued to affected, and possibly affected, consumers by a person, business, or agency must be in plain language and include the following:

If more than 500 Washington residents affected by a single breach are required to be notified, the reporting person, business, or agency must also submit to the attorney general a copy of the notification sent to consumers and the general number of affected Washington residents.

Consumers and the attorney general must be notified of a data breach in the most expedient time possible and without unreasonable delay no more than 45 days after the breach was discovered, with certain exception.

Summary of Bill: The bill as referred to committee not considered.

Summary of Bill (Proposed Substitute): Definition of Personal Information. When used in combination with an individual's first name or first initial and last name, the definition of personal information is expanded to include the following data elements:

The definition personal information also includes:

Notification Requirements. In addition to current requirements, notifications to a consumer must include a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach. Consumers must be notified of a data breach no more than 30 days after the breach was discovered with certain exceptions.

Notifications to the attorney general must include the following:

The attorney general must be notified of a data breach no more than 14 days after the breach was discovered. The notice must be updated if any required information is unknown at the time notice is due.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony on Proposed Substitute: PRO: Dealing with the aftermath of a breach can be a frustrating experience for consumer. We trust our most personal information to these companies and it deserves to be treated with dignity and respect. The current definition of personal information is too narrow to effectively protect consumers in today's environment. A recent study showed that most security breaches are not discovered until after 100 days of the breach. The number of days after a breach needs to be shortened in order to allow consumers to take the necessary steps to protect themselves. We think these protections should be extended to public employees if employers are breached.

OTHER: We think the notification timelines included in the bill are too short and do not provide businesses enough time to complete the complex analyses. An effective date of March 2020 would be more appropriate in order to allow for implementation outside of the holiday season. We have concerns with the use of full date of birth as a separate data element when associated with a name set because inclusion might expand the number of groups regulated by this act. We think the bill could be improved by adding a safe harbor for our mutual defense; aligning notification format with current cybersecurity practices; and adding options for referencing other industry-accepted standards.

Persons Testifying: PRO: Senator Joe Nguyen, Prime Sponsor; Lucinda Young, Washington Education Association; Shannon Smith, Attorney General's Office. OTHER: Trent House, Washington Bankers Association and United Financial Lobby; Mark Johnson, Washington Retail Association; Tom McBride, CompTIA; Bob Battles, Association of Washing Business; Rowland Thompson, Allied Daily Newspapers of Washington.

Persons Signed In To Testify But Not Testifying: No one.