Brief Description: Requiring the encryption of certain personal information.

Sponsors: Representative Moeller.

Hearing Date: 1/22/08

Staff: Kara Durbin (786-7133).

Background:

Encryption: Encryption is a process of converting data into a cipher or code that scrambles the data so that a specific algorithm and key are required to unscramble it. Data can be in an encrypted state while it is in storage ("at rest") or while it is being transmitted ("in flight").

Security Breach Law: In 2005, the Legislature enacted a security breach law. The law requires state agencies and private companies to notify possibly affected persons when the security of a system has been breached and unencrypted personal information is acquired by an unauthorized person. A person or business is not required to disclose a technical breach if it does not seem reasonably likely that it will subject customers to a risk of criminal activity.

"Personal information" is defined as the individual's first name or first initial and last name in combination with one or more of the following data elements, when either the name or the data elements are not encrypted:

• Social security number;
• Driver's license number or Washington identification card number; or
• Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

"Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.   

A customer injured by a violation of the security breach law may bring a civil action to recover damages. Any business that violates, proposes to violate, or has violated this section may be enjoined. The rights and remedies available under the security breach law are cumulative to each other and to any other rights and remedies available under law.

Disposal of Personal Information Law: State law places restrictions on how certain types of personal information may be disposed. If a person or business is disposing of records containing personal financial and health information and personal identification numbers issued by a government entity, the person or business must take all reasonable steps to destroy, or arrange for the destruction of such information.

Summary of Bill:

Any person or business that conducts business in the state must use encryption to secure personal information if the person or business is transmitting or storing personal information on a computer server that is primarily accessed through either:
(1) a direct connection to the internet; or
(2) a computer network that is primarily accessed over the internet.

This encryption requirement does not apply to personal information transmitted or stored on a closed network or a virtual private network. A person or business is deemed in compliance with this bill if the person or business uses encryption practices that are generally accepted in the industry.

A violation of the existing security breach law or this bill is a violation of the Consumer Protection Act.

The Department of Information Services must adopt rules to implement this bill.

"Encryption" is defined as the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
                           
Definitions contained in the existing security breach law are reorganized.

Appropriation: None.

Fiscal Note: Requested on January 14, 2008.

Effective Date: The bill takes effect 90 days after adjournment of session in which bill is passed.