AN ACT Relating to claims due to a breach of the security of a state database or information technology system; adding new sections to chapter 4.92 RCW; making an appropriation; and declaring an emergency.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

NEW SECTION.  Sec. 1. A new section is added to chapter 4.92 RCW to read as follows:

(1) The digital data breach reimbursement claims program is created in the office of risk management. In the event of a breach of the security of the system owned or operated by the state that results in the release of personal information, eligible individuals may submit a claim for reimbursement to the office of risk management for the following costs incurred within one year of the date of the breach:

(a) Identity restoration services if an individual discovers unauthorized use of their personal information;

(b) Losses from unauthorized charges to financial accounts that result in direct financial harm to the individual;

(c) The cost for a new driver's license; and

(d) Costs for one year of credit monitoring.

(2) All claims against the state, or against the state's officers, employees, or volunteers, acting in such capacity, for damages, must be presented to the office of risk management within one year of the breach. A claim is deemed presented when the claim form is delivered in person or by regular mail, registered mail, or certified mail, with return receipt requested, or as an attachment to email or by fax, to the office of risk management. The office of risk management must develop a standardized claim form for individuals to use to submit a claim. The office must review all claims and determine if the claim is eligible for payment.

(3) For the purposes of this section and section 2 of this act, "breach of the security of the system" and "personal information" have the meanings defined in RCW 19.255.005.

NEW SECTION.  Sec. 2. A new section is added to chapter 4.92 RCW to read as follows:

The state digital data breach account is created in the custody of the state treasurer. Revenues to the account consist of legislative appropriations and transfers and other revenues provided by law. If the office of the attorney general brings an action in the name of the state or on behalf of its residents under chapter 19.86 RCW or other law for injuries suffered from a breach of the security of the system owned or operated by the state, any damages, restitution, or penalties received from such an action must be deposited into the account. Expenditures from the account may only be used for the payment of eligible claims provided in section 1 of this act. Only the director or the director's designee may authorize expenditures from the account. The account is subject to allotment procedures under chapter 43.88 RCW, but an appropriation is not required for expenditures.

NEW SECTION.  Sec. 3. The sum of $52,000,000, or as much thereof as may be necessary, is appropriated from the general fund for fiscal year 2022 solely for expenditure into the state digital data breach account created in section 2 of this act.

--- END ---