BILL REQ. #:  H-1747.1 

Read first time 02/08/2007.   Referred to Committee on Technology, Energy & Communications.

     AN ACT Relating to records retained by communications providers; and adding new sections to chapter 19.250 RCW.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 1   A new section is added to chapter 19.250 RCW to read as follows:
     The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
     (1) "Covered entity" means: (a) A radio communications service company, as defined in RCW 80.04.010 and (b) any provider of internet protocol-enabled voice.
     (2) "Customer profile data" means account information and other nonpublic personal information about a customer stored by a covered entity.
     (3) "Nonpublic personal information" means personally identifiable information that is not readily available through public sources. "Nonpublic personal information" may include any of the following information: (a) A bank account number; (b) a social security number; (c) a credit or debit card number; (d) a personal identification number; (e) an automated or electronic signature; (f) unique biometric data; (g) account passwords or access codes; (h) medical information; and (i) a unique tag number. "Nonpublic personal information" does not include publicly available information that a person has a reasonable basis to believe is lawfully made available to the general public from federal, state, or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state, or local law. "Nonpublic personal information" shall include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived using any nonpublic personal information other than publicly available information, but does not include any list, description, or other grouping of consumers, and publicly available information pertaining to them, that is derived without using any nonpublic personal information.
     (4) "Substantially" means a redesign or upgrade of more than twenty-five percent of the code or database structures of the billing system.

NEW SECTION.  Sec. 2   A new section is added to chapter 19.250 RCW to read as follows:
     (1) When a covered entity substantially upgrades or replaces their billing or records management system, the resulting system must be capable of verifying and recording which person or persons, internal or external, have had access to customer profile data.
     (2) Upon written request by a customer, any covered entity shall release to the customer all customer profile data pertaining to that customer, including the identity of any individual or entity, internal or external, who has had access to the requesting customer's records. The customer may request a copy of their records once per year free of charge. The customer may be charged a nominal fee for subsequent requests. Any customer profile data collected by a covered entity must be retained and remain accessible to the customer for at least two years.
     (3) After reviewing his or her customer profile data pursuant to subsection (2) of this section, a customer must be given the opportunity to:
     (a) Contest the accuracy, completeness, timeliness, relevance, or dissemination of his or her customer profile data;
     (b) Correct or amend the information contained in his or her customer profile data; and
     (c) Request that customer profile data be removed or destroyed from the database, unless removal or destruction of the information would be contrary to applicable state or federal law.

NEW SECTION.  Sec. 3   A new section is added to chapter 19.250 RCW to read as follows:
     A covered entity must implement adequate security measures to protect customer profile data and customer records from unauthorized access, loss, or tampering. These security measures should be consistent with industry accepted best standards that are commensurate with the amount and sensitivity of the customer information being stored on the system.