13 Jul Washington Legislative Update
The Washington legislature recently amended its law governing the protection of consumer financial information due to a security breach, effective July 24, 2015.
WASHINGTON HOUSE BILL 1078
Any person or business that conducts business in Washington and that owns or licenses data (previously computerized) that includes personal information must disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of Washington whose personal information (previously unencrypted) was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person.
The following provision has been deleted: The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The required notification may be delayed if the data owner or licensee contacts a law enforcement agency after discovery of a breach of the security of the system and a law enforcement agency determines that the notification will impede a criminal investigation. The notification must be made after the law enforcement agency determines that it will not compromise the investigation.
“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements:
- Social security number;
- Driver’s license number or Washington identification card number; or
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Previously, in order to constitute “personal information,” the name or the data elements were not encrypted.
“Secured” means encrypted in a manner that meets or exceeds the National Institute of Standards and Technology standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.
A financial institution under the authority of the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, or the Federal Reserve System is deemed to have complied with the requirements of this law with respect to “sensitive customer information” as defined in the federal Interagency Guidelines Establishing Information Security Standards, as they existed on July 24, 2015, if the financial institution provides notice to affected consumers pursuant to the Interagency Guidelines and the notice complies with the customer notice provisions of the Interagency Guidelines Establishing Information Security Standards, and the federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice as it existed on July 24, 2015. The entity must notify the attorney general in addition to providing notice to its primary federal regulator.
Any consumer (previously customer) injured by a violation of this section may institute a civil action to recover damages.
Any person or business that violates, proposes to violate, or has violated this law may be enjoined.
The following provision has been deleted: A person or business will not be required to disclose a technical breach of the security system that does not seem reasonably likely to subject customers to a risk of criminal activity.
Any person or business that is required to issue notification must meet all of the following requirements:
- The notification must be written in plain language; and
- The notification must include, at a minimum, the following information:
- The name and contact information of the reporting person or business;
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach; and
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
Any person or business that is required to issue a notification to more than 500 Washington residents as a result of a single breach must, by the time notice is provided to affected consumers, electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the attorney general. The person or business must also provide to the attorney general the number of Washington consumers affected by the breach, or an estimate if the exact number is not known.
Notification to affected consumers and to the attorney general must be made in the most expedient time possible and without unreasonable delay, no more than 45 calendar days after the breach was discovered, unless at the request of law enforcement, or due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
The attorney general may bring an action in the name of the state of Washington, or on behalf of persons residing in Washington, to enforce this law. For actions brought by the attorney general to enforce this law, the legislature finds that the practices covered are matters vitally affecting the public interest for the purpose of applying the Consumer Protection Act (the “Act”). For actions brought by the attorney general, a violation is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the Act. An action to enforce this law may not be brought under the Act.