Requires any person or business that conducts business in this state or that owns or licenses computerized data that includes consumer personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to Washington state residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Creates a direct cause of action for financial institutions against data custodians that unnecessarily retain consumer personal information or fail to meet rudimentary precautions designed to protect consumer personal information.

Takes effect January 1, 2009.