HOUSE BILL REPORT

SHB 2015

 

 

 

As Passed Legislature

 

Title:  An act relating to protecting personal information.

 

Brief Description:  Protecting personal information.

 

Sponsors:  By House Committee on Financial Institutions & Insurance (originally sponsored by Representatives McIntire, Hatfield, Benson, Bush, Ruderman, Schual‑Berke, Conway, Kenney, Keiser and Hurst).

 

Brief History: 

Committee Activity: 

Financial Institutions & Insurance:  1/23/02, 2/8/02 [DPS].

Floor Activity:

Passed House: 2/16/02, 98-0.

Passed Senate:  3/5/02, 48-0.

Passed Legislature.

 

Brief Summary of Substitute Bill

$Requires an entity to destroy specified personal information and government-issued identification numbers in records that are subject to disposal.

 

HOUSE COMMITTEE ON FINANCIAL INSTITUTIONS & INSURANCE

 

Majority Report:  The substitute bill be substituted therefor and the substitute bill do pass. Signed by 11 members: Representatives Cooper, Chair; McIntire, Vice Chair; Benson, Ranking Minority Member; Barlean, Cairnes, Hatfield, Mielke, Miloscia, Roach, Santos and Simpson.

 

Staff:  Thamas Osborn (786‑7129).

 

Background:

 

The right to privacy found in the U.S. Constitution and the Washington state Constitution generally protects individuals from improper intrusion into personal or private affairs by the government, but not by private organizations.  Under the common law, a person may have a cause of action under contract or tort principles if the person's right to privacy is invaded through disclosure of private information.  Statutory protections for private information are limited in Washington, but include laws that, for example, protect a customer's financial information from being shared between financial institutions and/or the government unless certain requirements are met, require disclosure when credit information is shared with other entities, prohibit obtaining financial information fraudulently, and restrict disclosure of personal health care information.

 

With the passage of the federal Gramm‑Leach‑Bliley‑Act (GLBA) in 1999, financial institutions are required to implement procedures to protect the security and confidentiality of customers' non-public personal information.  To this end, the GLBA requires that the pertinent federal agencies promulgate regulations setting forth standards to guide financial institutions in establishing policies and systems to protect such information.  This directive has resulted in a body of federal regulations entitled "Interagency Guidelines Establishing Standards For Safeguarding Customer Information."  These guidelines require financial institutions to develop comprehensive information security programs for the protection of customer information.  Though the guidelines do not specifically address the issue of records disposal, the regulations can be interpreted to require that records disposal procedures be designed to ensure that personal information be destroyed.

 

At least two states, California and Wisconsin, require certain businesses to destroy personal information in records when the business holding the records intends to dispose of them.

 

 

Summary of Substitute Bill: 

 

An entity must take reasonable steps to destroy personal financial and health information and government-issued identification numbers in its records when the entity is disposing of records it no longer needs.  This requirement does not apply, however, to disposal of records by legal transfer to another entity, including archiving public records.  An "entity" includes businesses, whether for‑profit or not, engaged in an enterprise in this state and governmental entities, except the federal government.

 

Financial institutions, health care organizations, and other specified entities subject to federal regulation are deemed to be in compliance with the act if they comply with pertinent federal regulations.

 

A party injured by the failure of an entity to comply with the personal information protection requirements may bring a civil action against the entity.  A court may award:

 

$$200 or actual damages, whichever is greater, and costs and reasonable attorney's fees for negligent noncompliance.

$$600 or treble actual damages, whichever is greater, and costs and reasonable attorney's fees for willful noncompliance.

 

A party having reason to believe that he or she may be injured by noncompliance may seek injunctive relief, which may be granted with terms as the court finds equitable.  The Attorney General may also bring a civil action for damages or injunctive relief, or both, and the court may award the same damages as may be awarded for individuals.  The remedies provided are in addition to other rights or remedies.

 

 

Appropriation:  None.

 

Fiscal Note:  Available.

 

Effective Date:  Ninety days after adjournment of session in which bill is passed.

 

Testimony For:  There is evidence that all kinds of institutions are disposing of personal information improperly.  Financial institutions were disposing customer information in unlocked dumpsters.  The Department of Social and Health Services was improperly disposing client information, including personal histories from psychologists and counselors.  Employee applications and other detailed information, including medical histories, were being disposed of improperly.  Not properly disposing of personal information makes identity theft easier.  It should be made clear that any entity that is subject to the GLBA and is in compliance with it would be in compliance with this bill, and that any entity that is subject to health care information regulations and is in compliance with them would be in compliance with this bill.  This bill has graduated penalties, which is a new concept in regulating this kind of consumer information.  It is a bill designed to get after bad actors.  Most organizations already observe good business practices.

 

Testimony Against:  Last year the Legislature passed extensive identity theft legislation and given time to work, it will remedy a lot of the identity theft problems we have seen in the past.  The bill provides harsh penalties for violating the law.  If businesses are unknowingly not complying with the law they face harsh penalties.  The penalties in this bill are harsh for simple negligence.  This bill is broad in its application in relation to what personal information it applies to.  Some information is obvious, but there is other information covered in this bill that a small business may not realize needs to be shredded or destroyed.  For instance, resumes might fall under this bill.  There is a concern that this bill creates a new legal standard of inadvertence which does not currently exist in law.  Inadvertence is like negligence and negligence is the least egregious standard.  The CPA should not be expanded to cover this type of situation; the CPA is designed to apply to unfair or deceptive trade practices.  Businesses are trying to do the right thing and they are not the criminals.  There is an extensive law that will deter criminals given time.

 

Testified:  (In support) Representative Jim McIntire, prime sponsor.

 

(Opposed) Mellani Hughes, Association of Washington Businesses; and Kevin Underwood, Washington Collectors.