Background:

Washington data breach notification law requires any state or local agency that owns or licenses data that includes personal information to provide a data breach notice to Washington residents whose unencrypted personal information is (or is reasonably believed to have been) acquired by an unauthorized person as a result of a data breach. Notice is not required if the data breach is not reasonably likely to subject Washington residents to a risk of harm.

Any agency that maintains, but does not own, data that includes personal information must also notify the owner or licensee of that data of any data breach, if the owner's or licensee's personal information is (or is reasonably believed to have been) acquired by an unauthorized person.

An agency may provide a data breach notice in writing or as an electronic notice. Under certain circumstances, an agency may issue a substitute notice consisting of an electronic mail (e-mail) notice, conspicuous website notice, and notification to major statewide media.

A data breach notice must include the following information:

the name and the contact information of the reporting agency;
a list of the types of personal information that were, or are reasonably believed to have been, the subject of a data breach;
a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; and
the toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.

Data breach notices must be provided to affected individuals no more than 30 days after the breach is discovered. If a breach requires notice to more than 500 Washington residents, the reporting agency must also notify the Attorney General of the breach no more than 30 days after the breach was discovered. Delayed notice is permitted if requested by a law enforcement agency or to allow for notification to be translated into the primary language of the affected consumers.

For purposes of data breach notification, "personal information" means an individual's first name or first initial and last name in combination with one or more of the following data elements:

Social Security number;
driver's license number or Washington identification card number;
account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
full date of birth;
a private key that is unique to an individual and that is used to authenticate or sign an electronic record;
student, military, or passport identification number;
health insurance policy number or health insurance identification number;
any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or
biometric data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that may identify a specific individual.

Additionally, "personal information" includes any of the above-listed data elements, alone or in combination, without the consumer's first name or first initial and last name, if encryption has not rendered the data elements unusable and if the data elements would enable a person to commit identity theft against a consumer. "Personal information" also includes username and e-mail address in combination with a password or security questions and answers that would permit access to an online account.

"Personal information" does not include publicly available information lawfully made available to the general public from federal, state, or local government records.