SENATE BILL REPORT

SHB 1071

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As of April 5, 2019

Title: An act relating to breach of security systems protecting personal information.

Brief Description: Protecting personal information.

Sponsors: House Committee on Innovation, Technology & Economic Development (originally sponsored by Representatives Kloba, Dolan, Tarleton, Slatter, Valdez, Ryu, Appleton, Smith, Stanford and Frame; by request of Attorney General).

Brief History: Passed House: 3/01/19, 94-0.

Committee Activity: Environment, Energy & Technology: 3/20/19, 3/26/19 [DPA-WM, DNP].

Ways & Means: 4/04/19.

Brief Summary of Amended Bill

  • Expands definition of personal information.

  • Requires consumers and the attorney general to be notified no more than 30 days after the discovery of a data breach.

  • Amends consumer and attorney general notification requirements.

SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY

Majority Report: Do pass as amended and be referred to Committee on Ways & Means.

Signed by Senators Carlyle, Chair; Palumbo, Vice Chair; Fortunato, Assistant Ranking Member, Environment; Billig, Brown, Das, Hobbs, Liias, McCoy, Nguyen, Rivers, Short and Wellman.

Minority Report: Do not pass.

Signed by Senator Ericksen, Ranking Member.

Staff: Angela Kleis (786-7469)

SENATE COMMITTEE ON WAYS & MEANS

Staff: Sarian Scott (786-7729)

Background: State Security Breach Laws. Under current law, any person or business that conducts business in Washington and all agencies that own, license, or maintain personal information must meet specified requirements regarding the disclosure of any breach of the security system. Certain federally regulated data sets are exempt from disclosure.

Definition of Personal Information. Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notification Requirements. Consumer. The breach notification issued to affected, and possibly affected, consumers by a person, business, or agency must be in plain language and include the following:

Attorney General. If more than 500 Washington residents affected by a single breach are required to be notified, the reporting person, business, or agency must also submit to the attorney general a copy of the notification sent to consumers and the general number of affected Washington residents.

In general, consumers and the attorney general must be notified of a data breach in the most expedient time possible, without unreasonable delay, and no more than 45 days after the breach was discovered.

Summary of Amended Bill: Definition of Personal Information. When used in combination with an individual's first name or first initial and last name, the definition of personal information is expanded including:

The definition of personal information also includes:

Notification Requirements. Consumer. In addition to current requirements, notifications to a consumer must include a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach. Consumers must be notified of a data breach no more than 30 days after the breach was discovered with certain exceptions.

An agency may delay notification to a consumer for up to an additional 14 days to allow for notification to be translated into the primary language of the affected consumer.

Attorney General. In addition to current requirements, notifications to the attorney general must include:

The attorney general must be notified of a data breach no more than 30 days after the discovery of a data breach. The notice must be updated if any required information is unknown at the time notice is due.

EFFECT OF ENVIRONMENT, ENERGY & TECHNOLOGY COMMITTEE AMENDMENT(S):

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: The bill takes effect on March 1, 2020.

Staff Summary of Public Testimony on Substitute House Bill (Environment, Energy & Technology): The committee recommended a different version of the bill than what was heard. PRO: Data breaches are a significant, growing threat to Washington residents. Consumers have the right to know when a data breach has occurred as soon as possible. Overall, Washington residents feel their data is less secure but they are not taking the necessary steps to protect their data. This bill will strengthen consumer protections.

OTHER: We prefer federal regulation. The notification deadlines of 35 days to consumers and 25 days to the attorney general are more appropriate. Date of birth should not be included in the definition of personal information. Alternative notification options should be added in order to address instances where the data breach included email account credentials.

Persons Testifying (Environment, Energy & Technology): PRO: Representative Shelley Kloba, Prime Sponsor; Emilia Jones, Attorney General's Office; Joanna Grist, AARP. OTHER: Mark Johnson, Washington Retail; Mike Hoover, TechNet; Bob Battles, Association of Washington Business.

Persons Signed In To Testify But Not Testifying (Environment, Energy & Technology): No one.

Staff Summary of Public Testimony on the Bill as Amended by Environment, Energy & Technology (Ways & Means): PRO: There is an urgent need for this legislation. In light of the growing threat to our personal information, this year so far, the Attorney General's Office has received over a dozen reports of major data breaches. They have included information like Social Security numbers and bank account numbers that have been compromised. Last year there were 3.4 million Washingtonians that were affected by data breaches that we know of, but that number could be higher if someone's passport ID number or their e-mail address and password were affected. That would not be reported because it is not considered personal information under our current data breach statute. This bill will expand the definition of personal information and it will reduce the deadline to notify both the attorney general's office and a consumer, if they do not know their data has been compromised so they can take steps to protect themselves earlier. This version of the bill is a result of a long stakeholder engagement process.

Persons Testifying (Ways & Means): PRO: Emilia Jones, Attorney General's Office.

Persons Signed In To Testify But Not Testifying (Ways & Means): No one.