SENATE BILL REPORT

SB 5064

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As of March 4, 2019

Title: An act relating to breach of security systems protecting personal information.

Brief Description: Protecting personal information.

Sponsors: Senators Nguyen, Darneille, Hasegawa, Wellman, Keiser, Zeiger, Kuderer and Saldaña; by request of Attorney General.

Brief History:

Committee Activity: Environment, Energy & Technology: 1/22/19, 2/07/19 [DPS-TRAN].

Transportation: 2/19/19, 2/20/19 [w/oRec-WM].

Ways & Means: 2/28/19.

Brief Summary of Bill

  • Expands definition of personal information.

  • Requires the attorney general to be notified no more than 25 days after the discovery of a data breach.

  • Requires consumers to be notified no more than 35 days, with certain exceptions, after the discovery of a data breach.

  • Amends consumer and attorney general notification requirements.

SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY

Majority Report: That Substitute Senate Bill No. 5064 be substituted therefor, and the substitute bill do pass and be referred to Committee on Transportation.

Signed by Senators Carlyle, Chair; Palumbo, Vice Chair; Ericksen, Ranking Member; Fortunato, Assistant Ranking Member, Environment; Billig, Brown, Das, Hobbs, Liias, McCoy, Nguyen, Rivers, Short and Wellman.

Staff: Angela Kleis (786-7469)

SENATE COMMITTEE ON TRANSPORTATION

Majority Report: That it be referred without recommendation and be referred to Committee on Ways & Means.

Signed by Senators Hobbs, Chair; Saldaña, Vice Chair; King, Ranking Member; Sheldon, Assistant Ranking Member; Cleveland, Das, Fortunato, Lovelett, Nguyen, O'Ban, Padden, Randall, Takko, Wilson, C. and Zeiger.

Staff: Kim Johnson (786-7472)

SENATE COMMITTEE ON WAYS & MEANS

Staff: Sarian Scott (786-7729)

Background: State Security Breach Laws. Under current law, any person or business that conducts business in Washington and all agencies that own, license, or maintain personal information must meet specified requirements regarding the disclosure of any breach of the security system. Certain federally regulated data sets are exempt from disclosure.

Definition of Personal Information. Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements:

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notification Requirements. The breach notification issued to affected, and possibly affected, consumers by a person, business, or agency must be in plain language and include the following:

If more than 500 Washington residents affected by a single breach are required to be notified, the reporting person, business, or agency must also submit to the attorney general a copy of the notification sent to consumers and the general number of affected Washington residents.

Consumers and the attorney general must be notified of a data breach in the most expedient time possible and without unreasonable delay no more than 45 days after the breach was discovered, with certain exception.

Summary of Bill: Definition of Personal Information. When used in combination with an individual's first name or first initial and last name, the definition of personal information is expanded to include the following data elements:

The definition personal information also includes:

Notification Requirements. In addition to current requirements, notifications to a consumer must include a time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach. Consumers must be notified of a data breach no more than 35 days after the breach was discovered with certain exceptions.

Notifications to the attorney general must include the following:

The attorney general must be notified of a data breach no more than 25 days after the breach was discovered. The notice must be updated if any required information is unknown at the time notice is due.

EFFECT OF CHANGES MADE BY ENVIRONMENT, ENERGY & TECHNOLOGY COMMITTEE (First Substitute):

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: The bill takes effect on March 1, 2020.

Staff Summary of Public Testimony on Proposed Substitute (Environment, Energy & Technology): The committee recommended a different version of the bill than what was heard. PRO: Dealing with the aftermath of a breach can be a frustrating experience for consumers. We trust our most personal information to these companies and it deserves to be treated with dignity and respect. The current definition of personal information is too narrow to effectively protect consumers in today's environment. A recent study showed most security breaches are not discovered until after 100 days of the breach. The number of days after a breach needs to be shortened in order to allow consumers to take the necessary steps to protect themselves. We think these protections should be extended to public employees if employers are breached.

OTHER: We think the notification timelines included in the bill are too short and do not provide businesses enough time to complete the complex analyses. An effective date of March 2020 would be more appropriate in order to allow for implementation outside of the holiday season. We have concerns with the use of full date of birth as a separate data element when associated with a name set because inclusion might expand the number of groups regulated by this act. We think the bill could be improved by adding a safe harbor for our mutual defense; aligning notification format with current cybersecurity practices; and adding options for referencing other industry-accepted standards.

Persons Testifying (Environment, Energy & Technology): PRO: Senator Joe Nguyen, Prime Sponsor; Lucinda Young, Washington Education Association; Shannon Smith, Attorney General's Office. OTHER: Trent House, Washington Bankers Association and United Financial Lobby; Mark Johnson, Washington Retail Association; Tom McBride, CompTIA; Bob Battles, Association of Washington Business; Rowland Thompson, Allied Daily Newspapers of Washington.

Persons Signed In To Testify But Not Testifying (Environment, Energy & Technology): No one.

Staff Summary of Public Testimony on First Substitute (Transportation): PRO: This is a bill about protecting our personal information and give us some control over our data privacy as well. As companies are profiting off our information we should have some protections in place. Last year 3.2 million Washingtonians were affected by a data breach. This number is low because current reporting does not include instances where a person's email and password were compromised.

CON: We would like the bill to be amended to require third party data administrators to notify the owner of the data about a breach and allow them the option to let the owner do the notification instead of the third party data administrator. We would also like to see a safe harbor provision as long as there continues to be a private right of action.

OTHER: The prime sponsor and attorney general's office have worked well with us. We think simultaneous notification to the AG and the consumer makes sense. Earlier notification to the AG can increase costs because you are focusing your effort on getting the notice to the AG instead of focusing on notice to the consumer and investigation on what happened. The definition of secure specifies a particular technical standard and we believe should be modified to reflect other standards that are equally as secure.

Persons Testifying (Transportation): PRO: Senator Joe Nguyen, Prime Sponsor; Emilia Jones, Attorney General's Office. CON: Mark Johnson, Washington Retail. OTHER: Tom McBride, CompTIA.

Persons Signed In To Testify But Not Testifying (Transportation): No one.

Staff Summary of Public Testimony on First Substitute (Ways & Means): PRO: Urgently needed to keep up with threats to personal information. This was a result of a long stakeholder process.

CON: We do not think it goes far enough. It should be strengthened. If a third party is the breach, have them notify instead of the retailer.

Persons Testifying (Ways & Means): PRO: Emilia Jones, Attorney General's Office. CON: Mark Johnson, Washington Retail.

Persons Signed In To Testify But Not Testifying (Ways & Means): No one.