Washington State Significantly Expands Data Breach Notification Requirements

Michael Droke
Dorsey & Whitney LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Washington State Governor Jay Inslee signed legislation making Washington among the five US states with the most rigorous data breach notification laws enacted to date. Washington joins Florida, Ohio, Vermont, and Wisconsin in imposing strict and specific obligations on any business that has suffered a data breach. The new law was effective immediately.

The new law applies to all entities that conduct business in Washington. The law amends Washington’s previous breach notification law (Rev. Code Wash. §19.255.010) in significant ways including the following:

  1. breached entities must notify affected consumers within 45 days (ie, in place of the current requirement of an “expedient time… without unreasonable delay”);
  2. breached entities must now inform the Washington Attorney General of the data breach incident within 45 days if the data breach affects more than 500 Washington residents;
  3. the Washington Attorney General is authorized to bring an enforcement action against a breached entity for non-compliance both directly on behalf of the State of Washington, and as representative of affected individuals.
  4. limited exceptions to the 45 day notice requirement are available to provide law enforcement the opportunity to analyze the potential impact on criminal investigations or “due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system”;
  5. breaches involving any type of data (ie, paper documents in addition to “computerized data”) will be covered;
  6. breaches of encrypted data will also be covered in the event that unauthorized persons acquired “other means to decipher the secured information”; and
  7. the breach incident notice must be written “in plain language” and to include specific details of the breach.

In practice, this law reemphasizes the importance of collaboration between legal, risk management, and technology departments. In addition to Washington’s new law, data breach lawsuits have been filed under theories as wide-ranging as breach of contract, ERISA fiduciary duty, and failure to secure health information of employees. Companies of all sizes are encouraged to work with counsel to reduce cyber risk.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP
Dorsey & Whitney LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Dorsey & Whitney LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide