FINAL BILL REPORT

SHB 2015

 

 

C 90 L 02

Synopsis as Enacted

 

Brief Description:  Protecting personal information.

 

Sponsors:  By House Committee on Financial Institutions & Insurance (originally sponsored by Representatives McIntire, Hatfield, Benson, Bush, Ruderman, Schual‑Berke, Conway, Kenney, Keiser and Hurst).

 

House Committee on Financial Institutions & Insurance

Senate Committee on Labor, Commerce & Financial Institutions

 

Background:

 

The right to privacy found in the U.S. Constitution and the Washington state Constitution generally protects individuals from improper intrusion into personal or private affairs by the government, but not by private organizations.  Under the common law, a person may have a cause of action under contract or tort principles if the person's right to privacy is invaded through disclosure of private information.  Statutory protections for private information are limited in Washington, but include laws that, for example, protect a customer's financial information from being shared between financial institutions and/or the government unless certain requirements are met, require disclosure when credit information is shared with other entities, prohibit obtaining financial information fraudulently, and restrict disclosure of personal health care information.

 

With the passage of the federal Gramm‑Leach‑Bliley‑Act (GLBA) in 1999, financial institutions are required to implement procedures to protect the security and confidentiality of customers' non-public personal information.  To this end, the GLBA requires that the pertinent federal agencies promulgate regulations setting forth standards to guide financial institutions in establishing policies and systems to protect such information.  This directive has resulted in a body of federal regulations entitled "Interagency Guidelines Establishing Standards For Safeguarding Customer Information."  These guidelines require financial institutions to develop comprehensive information security programs for the protection of customer information.  Though the guidelines do not specifically address the issue of records disposal, the regulations can be interpreted to require that records disposal procedures be designed to ensure that personal information be destroyed.

 

At least two states, California and Wisconsin, require certain businesses to destroy personal information in records when the business holding the records intends to dispose of them.

 

Summary: 

 

An entity must take reasonable steps to destroy personal financial and health information and government-issued identification numbers in its records when the entity is disposing of records it no longer retains.  This requirement does not apply, however, to disposal of records by legal transfer to another entity, including archiving public records.  An "entity" includes businesses, whether for‑profit or not, engaged in an enterprise in this state, as well as  governmental entities, except the federal government.

 

Financial institutions, health care organizations, and other specified entities subject to federal regulation are deemed to be in compliance with these personal information protection requirements if they comply with pertinent federal regulations.

 

A party injured by the failure of an entity to comply with these personal information protection requirements may bring a civil action against the entity.  For negligent noncompliance, a court may award $200 or actual damages, whichever is greater, and costs and reasonable attorney's fees.  For willful noncompliance, a court may award $600 or treble actual damages, whichever is greater, and costs and reasonable attorney's fees.

 

A party having reason to believe that he or she may be injured by noncompliance may seek injunctive relief, which may be granted with terms as the court finds equitable.  The Attorney General may also bring a civil action for damages or injunctive relief, or both, and the court may award the same damages as may be awarded for individuals.  The remedies provided are in addition to other rights or remedies.

 

Votes on Final Passage:

 

House980

Senate480

 

Effective:  June 13, 2002