Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: No more than 30 Days after discovery of the breach
Government Notification Required: Yes, if more than 500 Washington residents are affected
Scope of this Summary:
Notification requirements applicable to persons or businesses that conduct business in the state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if the breach is not reasonably likely to subject consumers to a risk of harm.
Breach Defined
Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted in a manner that meets or exceeds the National Institute of Standards and Technology standard or has been otherwise modified so that covered info is unreadable, unusable, or undecipherable so long as encryption key was not accessed or acquired.
Form of Covered Information
Electronic or Paper
Covered Information
- An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social security number.
- Driver's license number or Washington identification card number.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account.
- Full date of birth.
- Private key that is unique to an individual and that is used to authenticate or sign an electronic record.
- Student, military, or passport identification number.
- Health insurance policy number or health insurance identification number.
- Any information about a consumer's medical history or mental or physical condition or about a healthcare professional's medical diagnosis or treatment of the consumer.
- Biometric data generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voice print, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.
- For state and local agencies only under RCW § 42.56.590 as amended by SB 6187, effective June 11, 2020: the list of regulated data elements is expanded to include the last four digits of a Social Security number.
- Username or email address in combination with a password or security questions and answers that would permit access to an online account.
Consumer Notice Timing
Must be made in the most expedient time possible without unreasonable delay but no more than 30 calendar days after the breach was discovered, consistent with any measures to determine the scope of the breach and to restore the reasonable integrity of the system.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied. By email if the breach involves a username or password, except that if the breach involves the login credentials of an email account provided by the covered entity then notice cannot be provided to that email address.
Consumer Notice Content
Notifications to affected individuals must be written in plain language and include, at a minimum, the following:
- The name and contact information of the reporting entity.
- A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.
- A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach.
- The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.
Delayed Notice
Notification to consumers may be delayed if data owner or licensee contacts a law enforcement agency after discovery of a breach and the agency determines notification will impede a criminal investigation.
Government Notice
If more than 500 residents must be notified, must provide notice to the Attorney General within 30 days of discovering the breach.
*This notice must be updated if any required information is unknown at the time the notice is due. While entities subject to HIPAA and federal banking regulators are generally exempt from this statute, they must still notify the state Attorney General.
Consumer Reporting Agency Notice
The Washington statutes do not require notice to credit reporting agencies.
Exceptions for Other Laws
Entities that are subject to the breach notification requirements and comply with either of the following will be deemed in compliance with the consumer notification requirements, but may be required to notify the Washington Attorney General (see Reporting to Government or Regulatory Agencies):
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and are subject to HIPAA breach notification requirements. The Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach.
Private Right of Action
In Washington, any consumer injured by a violation of the general breach notification statute may institute a civil action to recover damages.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023