SENATE BILL REPORT

SB 6187

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Passed Senate, February 17, 2020

Title: An act relating to modifying the definition of personal information for notifying the public about data breaches of a state or local agency system.

Brief Description: Modifying the definition of personal information for notifying the public about data breaches of a state or local agency system.

Sponsors: Senator Zeiger.

Brief History:

Committee Activity: State Government, Tribal Relations & Elections: 1/24/20, 1/31/20 [DP].

Floor Activity:

Passed Senate: 2/17/20, 47-0.

Brief Summary of Bill

  • Adds the last four digits of the social security number to the definition of personal information in the state data breach notification laws for state and local agencies.

SENATE COMMITTEE ON STATE GOVERNMENT, TRIBAL RELATIONS & ELECTIONS

Majority Report: Do pass.

Signed by Senators Hunt, Chair; Kuderer, Vice Chair; Zeiger, Ranking Member; Muzzall, Assistant Ranking Member; Hasegawa and Takko.

Staff: Jarrett Sacks (786-7448)

Background: Data Breach Notification. Any state or local agency that owns, maintains, or licenses data including personal information must disclose any breach of the security of the system to any resident of the state whose personal information was, or reasonably believed to have been, acquired by an unauthorized person if the personal information was not secured during the breach. Notification may be made through writing or electronically, if electronic notification is consistent with federal law. Substitute notice via email, through posting on the state or local agency's website, or notification to major statewide media, may be provided under certain circumstances.

With some exceptions, notification of a data breach must be made no more than 30 days after the breach was discovered. Notification of a data breach must be in plain language and must include:

Any state or local agency required to issue a notification to more than 500 Washington residents as a result of a single breach must notify the attorney general of the breach no more than 30 days after discovery of the breach.

Personal Information. Personal information is an individual's first name or first initial and last name with any one or more of the following data elements:

These data elements are considered personal information without the consumer's name if:

Personal information also means a username or email address in combination with a password or security questions and answers that would permit access to an online account.

Personal information does not include publicly available information lawfully made available to the general public from federal, state, or local government records.

Summary of Bill: For the purposes of the data breach notification requirements for state and local agencies, the last four digits of the social security number is added to the definition of personal information.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony: PRO: The state holds a lot of personal information. In the event of a breach, the data must be disclosed. The current statute does not include the last four digits of the Social Security number. The bill will allow people to protect themselves from identity theft.

Persons Testifying: Senator Hans Zeiger, Prime Sponsor.

Persons Signed In To Testify But Not Testifying: No one.