WSR 17-23-188
OFFICE OF THE
INSURANCE COMMISSIONER
[Filed November 22, 2017, 10:03 a.m.]
Technical Assistance Advisory 2017-01A 1 2
TO: All Licensees with Consumers residing in the State of Washington
FROM: Insurance Commissioner, Mike Kreidler
DATE: November 13, 2017
SUBJECT: Two Day Notification Requirement for Security Breaches
A security breach is the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.3
Two types of information are included within the security breach notification requirements:
personal information that seems reasonably likely to subject consumers to a risk of criminal activity,4 and
unsecured protected health information which compromises the security or privacy of the consumer's protected information.5
If a security breach of either of these types occurs, all licensees must notify the Insurance Commissioner. The notification must be made in writing and must include the number of consumers potentially affected and the actions being taken by the licensee.
For breaches of personal information, the notification must be made within two (2) business days after determining that notification must be sent to consumers or customers, and that the breach seems reasonably likely to subject consumers to a risk of criminal activity.6
For breaches of unsecured protected health information, the notification must be made within two (2) business days after the breach occurs. A security breach of unsecured protected health information occurs the first day on which the breach is known to the licensee or the date when the breach should have been known to the licensee if reasonable diligence had been used.7 A licensee is considered to have knowledge of a breach if the event is known, or, by exercising reasonable diligence, would have been known to any person who works for or is an agent of the licensee.8
Failure to notify the Insurance Commissioner is considered an unfair practice.9 It may result in the levying of fines or an order to cease and desist the selling of insurance in the state of Washington under RCW 48.30.010.
For a single breach of personal information that involves more than five hundred (500) Washington residents, the person or business must notify the Washington State Attorney General's Office.10 The breach of unprotected health information must also be reported and notification provided pursuant to 45 C.F.R. 164.400 through 164.410.
For any questions related to security breach notifications, please contact Dan Halpin, Compliance Analyst, at DanH@oic.wa.gov, or (360) 725-7089.
1 This advisory is an interpretive policy statement released to advise the public of the OIC's current opinions, approaches, and likely courses of action. It is advisory only. RCW 34.05.230(1).
2 This TAA replaces and supercedes TAA 2017-01, issued on April 30, 2017.
3 RCW 19.255.010(4).
4 RCW 19.255.010(5); WAC 284-04-625 (2)(a). Categories include social security number, driver's license number or Washington identification card number, and account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
5 WAC 284-04-625 (2)(b).
6 WAC 284-04-625(2).
7 See 45 C.F.R. 164.404 (a)(2).
8 See 45 C.F.R. 164.404 (a)(2); WAC 390-05-190.
9 WAC 284-04-625(1)
10 Please refer to: http://www.atg.wa.gov/data-breach-notifications