Provides that any person or business that is required to disclose a breach of the security of the system under RCW 19.255.010, if that breach was comprised of five thousand or more unencrypted individual names or account numbers, shall be liable to a financial institution in negligence for actions reasonably undertaken in order to protect consumers.

Provides that a person or business will not be liable under this act if the person or business providing the data breach notice met industry standards for the handling, processing, and storage of personal information, maintained a policy on the treatment of personal information, and consistently provided training to staff on this policy at the time of the data breach.