SENATE BILL REPORT

SHB 2015

 

As Reported By Senate Committee On:

Labor, Commerce & Financial Institutions, February 28, 2002

 

Title:  An act relating to protecting personal information.

 

Brief Description:  Protecting personal information.

 

Sponsors:  House Committee on Financial Institutions & Insurance (originally sponsored by Representatives McIntire, Hatfield, Benson, Bush, Ruderman, Schual‑Berke, Conway, Kenney, Keiser and Hurst).

 

Brief History: 

Committee Activity:  Labor, Commerce & Financial Institutions:  2/27/02, 2/28/02 [DP, DNP].

SENATE COMMITTEE ON LABOR, COMMERCE & FINANCIAL INSTITUTIONS

 

Majority Report:  Do pass.

Signed by Senators Prentice, Chair; Keiser, Vice Chair; Benton, Deccio, Fairley, Franklin, Gardner, Honeyford, Rasmussen, Regala and Winsley.

 

Minority Report:  Do not pass.

Signed by Senator Hochstatter.

 

Staff:  Dave Cheal (786-7576)

 

Background:  The right to privacy found in the U.S. Constitution and the Washington State Constitution generally protects individuals from improper intrusion into personal or private affairs by the government, but not by private organizations.  Under the common law, a person may have a cause of action under contract or tort principles if the person's right to privacy is invaded through disclosure of private information.  Statutory protections for private information are limited in Washington, but include laws that, for example, protect a customer's financial information from being shared between financial institutions and/or the government unless certain requirements are met, require disclosure when credit information is shared with other entities, prohibit obtaining financial information fraudulently, and restrict disclosure of personal health care information.

 

With the passage of the federal Gramm‑Leach‑Bliley‑Act (GLBA) in 1999, financial institutions are required to implement procedures to protect the security and confidentiality of customers' non-public personal information.  To this end, the GLBA requires that the pertinent federal agencies promulgate regulations setting forth standards to guide financial institutions in establishing policies and systems to protect such information.  This directive has resulted in a body of federal regulations entitled "Interagency Guidelines Establishing Standards For Safeguarding Customer Information."  These guidelines require financial institutions to develop comprehensive information security programs for the protection of customer information.  Though the guidelines do not specifically address the issue of records disposal, the regulations can be interpreted to require that records disposal procedures be designed to ensure that personal information be destroyed.

 

At least two states, California and Wisconsin, require certain businesses to destroy personal information in records when the business holding the records intends to dispose of them.

 

Summary of Bill:  An entity must take reasonable steps to destroy personal information in records in the entity's custody when the entity is disposing of records it no longer needs.  This requirement does not apply, however, to disposal of records by legal transfer to another entity, including archiving public records.  An "entity" includes businesses, whether for‑profit or not, engaged in an enterprise in this state and governmental entities, except the federal government.

 

Financial institutions, health care organizations, or other entities subject to federal regulation under the Interagency Guidelines Establishing Standards for Safeguarding Consumer Information are considered to comply with this state law if they comply with the federal guidelines for safeguarding personal information.

 

A party injured by the failure of an entity to comply with the personal information protection requirements may bring a civil action against the entity.  A court may award:

 

$$200 or actual damages, whichever is greater, and costs and reasonable attorney's fees for negligent noncompliance.

$$600 or treble actual damages, whichever is greater, and costs and reasonable attorney's fees for willful noncompliance.

 

A party having reason to believe that he or she may be injured by noncompliance may seek injunctive relief, which may be granted with such terms as the court finds equitable.  The Attorney General may also bring a civil action for damages or injunctive relief, or both, and the court may award the same damages as may be awarded for individuals.  Failure to comply with the act is a practice covered by the Consumer Protection Act.  The remedies provided are in addition to other rights or remedies.

 

Appropriation:  None.

 

Fiscal Note:  Available.

 

Effective Date:  Ninety days after adjournment of session in which bill is passed.

 

Testimony For:  Experience in this state has demonstrated that some custodians of personal financial information are careless in their methods of disposal.  This lack of care is a recipe for increased incidence of identity theft and other privacy abuses.  Federal regulations appear not to cover this issue; however for financial institutions, compliance with federal requirements is expressly declared to be compliance with this act.  This is a reasonable and minimal requirement in view of the high stakes for consumers.

 

Testimony Against:  The remedy for intentional violations is too high ($600 or three times the actual damages, whichever is greater).

 

Testified:  Rep. Jim McIntire (pro); Mellani Hughes, AWB (con).