FINAL BILL REPORT
SB 6187
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
C 65 L 20
Synopsis as Enacted
Brief Description: Modifying the definition of personal information for notifying the public about data breaches of a state or local agency system.
Sponsors: Senator Zeiger.
Senate Committee on State Government, Tribal Relations & Elections
House Committee on Innovation, Technology & Economic Development
Background: Data Breach Notification. Any state or local agency that owns, maintains, or licenses data including personal information must disclose any breach of the security of the system to any resident of the state whose personal information was, or reasonably believed to have been, acquired by an unauthorized person if the personal information was not secured during the breach. Notification may be made through writing or electronically, if electronic notification is consistent with federal law. Substitute notice via email, through posting on the state or local agency's website, or notification to major statewide media, may be provided under certain circumstances.
With some exceptions, notification of a data breach must be made no more than 30 days after the breach was discovered. Notification of a data breach must be in plain language and must include:
the name and contact information of the reporting agency;
a list of the types of personal information that were subject to the breach;
a time frame of exposure, including the date of the breach and the date of the discovery of the beach; and
the toll-free phone numbers of the major credit reporting agencies if the breach exposed personal information.
Any state or local agency required to issue a notification to more than 500 Washington residents as a result of a single breach must notify the attorney general of the breach no more than 30 days after discovery of the breach.
Personal Information. Personal information is an individual's first name or first initial and last name with any one or more of the following data elements:
social security number;
driver's license number or Washington identification card number;
account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual's financial account;
full date of birth;
private key that is unique to an individual and used to authenticate or sign an electronic record;
student, military, or passport identification number;
health insurance policy number or health insurance identification number;
any information about a consumer's medical history, mental or physical condition, health care professional's medical diagnosis, or treatment of the consumer; or
biometric data generated by automatic measurements of an individual's biological characteristics.
These data elements are considered personal information without the consumer's name if:
encryption, redaction, or other methods have not rendered the data element unusable; and
the data element would enable a person to commit identify theft against a consumer.
Personal information also means a username or email address in combination with a password or security questions and answers that would permit access to an online account.
Personal information does not include publicly available information lawfully made available to the general public from federal, state, or local government records.
Summary: For the purposes of the data breach notification requirements for state and local agencies, the last four digits of the social security number is added to the definition of personal information.
Votes on Final Passage:
Senate | 47 | 0 | |
House | 97 | 0 |
Effective: | June 11, 2020 |