Washington Code § 19.255.010 et seq
Enacted: 7.1.2010
Type of Data Covered: Any form of data.
Is Breach Defined?
"For purposes of this section, "breach of the security of the system" means unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure."
When is notice required?
Notice is required for any affected resident but "may be delayed if the data owner or licensee contacts a law enforcement agency after discovery of a breach of the security of the system and a law enforcement agency determines that the notification will impede a criminal investigation," but would be required as soon as law enforcement allows. Notice may be written, electronic, or via "substitute notice" procedures, depending on circumstances. The notice shall be written in plain language, include the name and contact information of the reporting business or person, the types of information compromised, and toll-free numbers to credit reporting agencies. Notice is given in the most expedient time possible, but shouldn't be after 45 days unless there is a law enforcement reason or delay in determining scope and restoring integrity. If the breach affects over 500 residents then the Attorney General must receive a copy of the notice.
What are the penalties for non-compliance?
Violations have their own section of the law, § 19.255.010(17), which reads as follows:
"(17) The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce this section. For actions brought by the attorney general to enforce this section, the legislature finds that the practices covered by this section are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. For actions brought by the attorney general to enforce this section, a violation of this section is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for purposes of applying the consumer protection act, chapter 19.86 RCW. An action to enforce this section may not be brought under RCW 19.86.090."
Will you be ready when someone blows the top off your data security system?