Title: An act relating to breaches of security that compromise personal information.

Brief Description: Addressing breaches of security that compromise personal information.

Sponsors: Senate Committee on Financial Institutions, Housing & Consumer Protection (originally sponsored by Senators Brandland, Fairley, Benson, Keiser, Schmidt, Spanel, Benton, Franklin, Berkey, Kohl-Welles and Rasmussen).

Brief History:

Committee Activity: Financial Institutions, Housing & Consumer Protection: 3/1/05 [DPS].

Passed Senate: 3/8/05, 47-0.

SENATE COMMITTEE ON FINANCIAL INSTITUTIONS, HOUSING & CONSUMER PROTECTION

Majority Report: That Substitute Senate Bill No. 6043 be substituted therefor, and the substitute bill do pass.Signed by Senators Fairley, Chair; Berkey, Vice Chair; Benton, Ranking Minority Member; Benson, Brandland, Delvin, Franklin, Keiser, Prentice, Schmidt and Spanel.

Staff: Joanne Conrad (786-7472)

Background: ChoicePoint, a large corporation dealing with 19 billion public records that include personal and financial data on millions of consumers, recently was the victim of a security breach. Due to this problem, 144,778 consumers, more than 3,000 of them Washingtonians, had personal information exposed to a criminal enterprise. In California, a state law requires notification of consumers when such a data security breach occurs. California is the only state with a notification law.

Summary of Bill: Any agency, person, or business that owns and licenses computerized data that includes personal information, is required to inform Washington consumers of any breach of their data security, following discovery or notification of the beach. The notification must be made without unreasonable delay, consistent with the needs of law enforcement. Notification may not impede a criminal investigation.

"Personal information" covered by the duty to notify includes: social security numbers, driver's license, or ID card numbers; and credit and debit card numbers in combination with access codes. Personal information does not include publically-available information from federal, state, and local government records.

Notice of the security breach may be provided by written or electronic notice, or by a "substitute notice" by e-mail, conspicuous website posting, or major statewide media.

As a matter of public policy, consumers cannot waive their right to notice.

Remedies include a civil action to recover damages, or injunctive relief against a business that violates the notice requirements.

Appropriation: None.

Fiscal Note: Not requested.

Committee/Commission/Task Force Created: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Testimony For: Federal regulations already have strict guidelines, and Congress will probably act on this issue. Meanwhile, if a state law is needed, it would be sensible to add the standard that the breach involve reasonable likelihood of a crime, rather than requiring notice of a mere technical breach.

Testimony Against: None.

Who Testified: PRO: Denny Eliason, WA Bankers Assoc., United Financial Lobby.