Washington State legislators passed a new Data Breach bill, HB 1071, that strengthens data breach notification laws. The new law now includes the expansion of the definition of personal information and also reduces the breach notification deadline.
HB 1071 states that a “Breach of the security of the system” means unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.
The new law applies to any person or business that conducts business in the State of Washington and owns or licenses data that includes personal information. That person/business will need to disclose any breach of the security of the system.
Prior to the passage of HB 1071, an organization impacted by a breach only had to contact its customers after a hacker obtained the following personal data elements: consumer’s name in combination with social security numbers, driver’s license numbers, state ID numbers or financial account information.
With the new law, HB 1071 now requires organizations to notify consumers if a hacker gains access to consumer’s name in combination with an expanded list of any of the following personal data types:
- Full birth dates
- Health insurance ID numbers
- Medical history
- Student ID numbers
- Military ID numbers
- Passport ID numbers
- Usernames and passwords
- Biometric data, such as DNA profiles or fingerprints
- Electronic signatures.
Impacted organizations will also be required to notify the Attorney General within 30 days of a breach (reduced from 45 days previous to the bill being signed).
“My office has seen the number of Washingtonians impacted by data breaches increase year after year,” Attorney General Bob Ferguson said in a press release on Monday. “Data breaches are a serious threat to our privacy, and this law will arm consumers with information to protect their sensitive data.”
HB 1071 comes after the increased threat of data breaches that have impacted the State of Washington residents and organizations. Nearly 3.4 million Washington residents were impacted by data breaches between July 2017 and July 2018.