Washington

Wash. Rev. Code § 19.255.010 et seq.

S.B. 6043 (signed into law May 10, 2005, Chapter 368)

Effective July 24, 2005

H.B. 1149 (signed into law March 22, 2010) requiring reimbursement from payment processors, businesses, and vendors to financial institutions for the cost of replacing credit and debit cards after a breach

Effective July 1, 2010

Application. Any state or local agency or any person or business which conducts business in WA (collectively, Entity) that owns or licenses computerized data that includes PI.

Security Breach Definition. Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the Entity.

Good-faith acquisition of PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of the security of the system when the PI is not used or subject to further unauthorized disclosure.

Notification Obligation. Any Entity to which the statute applies shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of WA whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.

An Entity shall not be required to disclose a technical breach of the security system that does not seem reasonably likely to subject customers to a risk of criminal activity.

Third-Party Data Notification. Any Entity that maintains computerized data that includes PI that the Entity does not own shall notify the owner or licensee of the information of any breach immediately following discovery, if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Timing of Notification. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

Social Security Number;
Driver license number or Washington identification card number;
Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notice Required. Notice may be provided by the following methods:

Written notice; or
Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:

Email notice when the Entity has an email address for the subject persons;
Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and
Notification to major statewide media.

Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of PI and is otherwise consistent with the timing requirements of this section is in compliance with the notification requirements of this section if the Entity notifies subject persons in accordance with its policies in the event of a breach of security.

Other Key Provisions:

Delay for Law Enforcement. Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The required notification shall be made after the law enforcement agency determines that it will not compromise the investigation.
Private Right of Action. Any customer injured by a violation of this section may institute a civil action to recover damages.
Waiver Not Permitted.

Reimbursement from Businesses to Financial Institutions. In the event of a breach where an entity held unencrypted account information or was not PCI DSS compliant, payment processors, businesses, and vendors can be liable to a financial institution for the cost of reissuing credit and debit cards in the event of a breach that results in the disclosure of the full, unencrypted account information contained on an identification device, or the full, unencrypted account number on a credit or debit card or identification device plus the cardholder’s name, expiration date, or service code.