|
Washington State House of Representatives Office of Program Research |
BILL ANALYSIS |
|
|
Financial Institutions & Insurance Committee |
|
|
HB 2015
Brief Description: Protecting personal information.
Sponsors: Representatives McIntire, Hatfield, Benson, Bush, Ruderman, Schual‑Berke, Conway, Kenney, Keiser and Hurst.
|
Brief Summary of Bill |
|
$Requires the destruction of personal information in records when an entity is disposing of records it will no longer retain.
|
Hearing Date: 1/23/02
Staff: Thamas Osborn (786‑7129).
Background:
The right to privacy found in the U.S. Constitution and the Washington State Constitution generally protects individuals from improper intrusion into personal or private affairs by the government, but not by private organizations. Under the common law, a person may have a cause of action under contract or tort principles if the person's right to privacy is invaded through disclosure of private information. Statutory protections for private information are limited in Washington, but include laws, for example, that protect a customer's financial information from being shared between financial institutions and/or the government unless certain requirements are met, require disclosure when credit information is shared with other entities, prohibit obtaining financial information fraudulently, and restrict disclosure of personal health care information.
With the passage of the federal Gramm‑Leach‑Bliley‑Act (GLBA) in 1999, financial institutions are required to implement procedures to protect the security and confidentiality of customers' nonpublic personal information. To this end, the GLBA requires that the pertinent federal agencies promulgate regulations setting forth standards to guide financial institutions in establishing policies and systems to protect such information. This directive has resulted in a body of federal regulations entitled "Interagency Guidelines Establishing Standards For Safeguarding Customer Information". These guidelines require financial institutions to develop comprehensive information security programs for the protection of customer information. Though the guidelines do not specifically address the issue of records disposal, the regulations can be interpreted to require that records disposal procedures be designed to ensure that personal information be destroyed.
At least two states, California and Wisconsin, require certain businesses to destroy personal information in records when the business holding the records intends to dispose of them.
Summary of Bill:
Protection for personal information. An entity must take reasonable steps to destroy personal information in records in the entity's custody when the entity is disposing of records it will no longer retain. This requirement does not apply, however, to disposal of records by legal transfer to another entity, including archiving public records.
Remedies for failure to comply. A party injured by the failure of an entity to comply with the personal information protection requirements may bring a civil action against the entity. A court may award:
$actual damages for inadvertent noncompliance.
$$500 or actual damages, whichever is greater, and costs and reasonable attorney's fees for negligent noncompliance.
$$1,500 or treble actual damages, whichever is greater, and costs and reasonable attorney's fees for willful noncompliance.
A party having reason to believe that he or she may be injured by noncompliance may seek injunctive relief, which may be granted with terms as the court finds equitable.
The Attorney General may also bring a civil action for damages or injunctive relief, or both, and the court may award the same damages as may be awarded for individuals.
Failure to comply with the act is a practice covered by the Consumer Protection Act. The remedies provided are in addition to other rights or remedies.
Definitions. An "entity" includes businesses, whether for‑profit or not, engaged in an enterprise in this state and governmental entities except the federal government.
"Personal information" includes information that identifies or describes a particular individual, such as name, signature, social security number, employment or medical history, or financial information.
Appropriation: None.
Fiscal Note: Requested on January 16, 2002.
Effective Date: Ninety days after adjournment of session in which bill is passed.