SENATE BILL REPORT

SHB 1071

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Reported by Senate Committee On:

Environment, Energy & Technology, March 26, 2019

Title: An act relating to breach of security systems protecting personal information.

Brief Description: Protecting personal information.

Sponsors: House Committee on Innovation, Technology & Economic Development (originally sponsored by Representatives Kloba, Dolan, Tarleton, Slatter, Valdez, Ryu, Appleton, Smith, Stanford and Frame; by request of Attorney General).

Brief History: Passed House: 3/01/19, 94-0.

Committee Activity: Environment, Energy & Technology: 3/20/19, 3/26/19 [DPA-WM, DNP].

Brief Summary of Amended Bill

Expands definition of personal information.
Requires consumers and the attorney general to be notified no more than 30 days after the discovery of a data breach.
Amends consumer and attorney general notification requirements.

SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY

Majority Report: Do pass as amended and be referred to Committee on Ways & Means.

Signed by Senators Carlyle, Chair; Palumbo, Vice Chair; Fortunato, Assistant Ranking Member, Environment; Billig, Brown, Das, Hobbs, Liias, McCoy, Nguyen, Rivers, Short and Wellman.

Minority Report: Do not pass.

Signed by Senator Ericksen, Ranking Member.

Staff: Angela Kleis (786-7469)

Background: State Security Breach Laws. Under current law, any person or business that conducts business in Washington and all agencies that own, license, or maintain personal information must meet specified requirements regarding the disclosure of any breach of the security system. Certain federally regulated data sets are exempt from disclosure.

Definition of Personal Information. Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

social security number;
driver's license number or Washington identification card number; or
information that would permit access to an individual's financial account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notification Requirements. Consumer. The breach notification issued to affected, and possibly affected, consumers by a person, business, or agency must be in plain language and include the following:

name and contact information of reporting person, business, or agency;
a list of the type of personal information believed to be subject to the breach; and
contact information of major credit reporting agencies if the breach exposed personal information.

Attorney General. If more than 500 Washington residents affected by a single breach are required to be notified, the reporting person, business, or agency must also submit to the attorney general a copy of the notification sent to consumers and the general number of affected Washington residents.

In general, consumers and the attorney general must be notified of a data breach in the most expedient time possible, without unreasonable delay, and no more than 45 days after the breach was discovered.

Summary of Amended Bill: Definition of Personal Information. When used in combination with an individual's first name or first initial and last name, the definition of personal information is expanded including:

full date of birth;
an individual's unique private key that is used to sign an electronic record;
student, military, or passport identification number;
health insurance policy number;
consumer medical information; and
an individual's biometric data generated by automatic measurements.

The definition of personal information also includes:

a combination of username or email address with a password or security questions and answers that would permit access to an online account; and
any data elements or combination of data elements without the consumer's first name or first initial and last name that meet certain conditions.

Notification Requirements. Consumer. In addition to current requirements, notifications to a consumer must include a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach. Consumers must be notified of a data breach no more than 30 days after the breach was discovered with certain exceptions.

An agency may delay notification to a consumer for up to an additional 14 days to allow for notification to be translated into the primary language of the affected consumer.

Attorney General. In addition to current requirements, notifications to the attorney general must include:

a list of the type of personal information believed to have been the subject of a breach;
a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach;
a summary of steps taken to contain the breach; and
a sample copy of the security breach notification.

The attorney general must be notified of a data breach no more than 30 days after the discovery of a data breach. The notice must be updated if any required information is unknown at the time notice is due.

EFFECT OF ENVIRONMENT, ENERGY & TECHNOLOGY COMMITTEE AMENDMENT(S):

Authorizes alternative notification options if the breach of security involves personal information including username or password or login credentials of an email account.
Authorizes an agency to delay notification to a consumer for up to an additional 14 days in order for the notification to be translated into the primary language of the affected consumer.
Makes technical corrections.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: The bill takes effect on March 1, 2020.

Staff Summary of Public Testimony on Substitute House Bill: The committee recommended a different version of the bill than what was heard. PRO: Data breaches are a significant, growing threat to Washington residents. Consumers have the right to know when a data breach has occurred as soon as possible. Overall, Washington residents feel their data is less secure but they are not taking the necessary steps to protect their data. This bill will strengthen consumer protections.

OTHER: We prefer federal regulation. The notification deadlines of 35 days to consumers and 25 days to the attorney general are more appropriate. Date of birth should not be included in the definition of personal information. Alternative notification options should be added in order to address instances where the data breach included email account credentials.

Persons Testifying: PRO: Representative Shelley Kloba, Prime Sponsor; Emilia Jones, Attorney General's Office; Joanna Grist, AARP. OTHER: Mark Johnson, Washington Retail; Mike Hoover, TechNet; Bob Battles, Association of Washington Business.

Persons Signed In To Testify But Not Testifying: No one.