April saw amendments to Washington State's and North Dakota's breach notification statutes.
In a prior Orrick Alert, we discussed some of the implications from the proposed data breach notification amendments in Washington State, which were largely included in the version of the bill that passed last month. In this alert, we summarize all of the significant changes to Washington State's new law and North Dakota's new law.
Washington
Washington State's amendments, which by far are the most sweeping, implement a number of new important changes. Of most significant import is the change to the encryption exemption discussed in a prior Orrick alert published when the amendments were initially proposed. Under the law, companies will be required to provide notice to Washington State residents whose personal information is compromised if the information is not encrypted "in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard"[1] or otherwise modified so that it is unreadable, unusable, or undecipherable. The law also requires notice when encrypted personal information is compromised if the encryption key or cipher is also compromised.
Other notable changes include the following:
-
Notice is not required if the breach is "not reasonably likely to subject consumers to a risk of harm"
-
Notice must be written in "plain language," and include the name and contact information for the reporting entity (the entity experiencing the breach), types of personal information compromised, and the toll-free numbers and addresses for the major credit reporting agencies
-
Requires notice if paper records are compromised (previously, the statute only applied to computerized records)
-
Requires consumer notification in the most expedient time possible without unreasonable delay, not to exceed 45 days after discovery of the breach
-
Requires notification of the Washington State Attorney General if more than 500 Washington residents were affected by the breach by the time that Washington State residents are notified, along with a copy of the notice provided to consumers and an estimate of the total number of Washington State residents affected
-
Exempts HIPAA covered entities from the statute's notification requirements if they comply with Section 13402 of the HITECH Act
-
Exempts certain financial institutions under authority of federal regulators per the Graham-Leach-Bliley Act from the statute's notification requirements if they comply with notification requirements in applicable federal guidelines
-
Grants the Attorney General authority to bring enforcement actions for violations of the statute under the Washington Consumer Protection Act, RCW 19.86 (but excludes private consumer protection act claims)
North Dakota
North Dakota amendments (passed the same day) make fewer, but still important, changes. Among other things, the North Dakota law:
-
Requires organizations to notify the Attorney General if personal data for more than 250 North Dakota residents is compromised
-
Reduces the scope of personal information to include employer-assigned identification numbers only if the corresponding required security/access code or password is also compromised
-
Requires notice to all affected North Dakota residents, even if the organization is not conducting business in North Dakota
Washington State's law becomes effective on July 24, 2015. North Dakota's law becomes effective on August 1, 2015.
[1] Although not explicit, presumably the law refers to NIST Federal Information Processing Standards Publication 197 (Nov. 26, 2001), available at http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.