Washington State shortens notice deadline after breaches
Washington has toughened data breach laws by reducing the amount of time to notify affected individuals of a breach to 30 days, down from 45 days.
The move comes after unanimous bipartisan votes in both legislative chambers.
The federal Department of Health and Human Services requires healthcare organizations to notify affected persons within 60 days of discovery of a breach, but states can impose their own breach notification laws.
Washington State Attorney General Bob Ferguson requested the change in the breach notification process. “My office has seen the number of Washingtonians impacted by data breaches increase year after year,” he says. “Data breaches are a serious threat to our privacy and this law will arm consumers with information to protect their sensitive data.”
Rep. Shelley Kloba sponsored the bill in Washington’s House of Representatives, and Sen. Joe Nguyen sponsored a companion bill in the Senate.
“Time and time again, millions of Americans have had their most private information stolen and abused due to poor corporate stewardship over the data we entrust them with,” Nguyen says. “This legislation will ensure that we have mechanisms for accountability put in place so when a data breach occurs, we can act quickly and decisively to mitigate further harm.”
Before the new law, a business or government affected by a breach would be required only to notify consumers if a hacker obtains a consumer’s name along with a Social Security number, driver’s license number, state ID number or financial account information.
Now, consumers also have to be notified if nine other pieces of protected information are potentially accessed when a breach occurs, including birth dates, health insurance IDs, medical history, student IDs, military IDs, passport IDs, usernames and passwords, biometric data such as DNA profiles or fingerprints, and electronic signature.
Between July 2017 and July 2018, data breaches in the state rose 26 percent over the previous year.
“This bill updates our consumer protection laws so that consumers are made aware of a breach more quickly and can take protective action,” Kloba says. “Additionally, companies that collect and store data will need to pay more attention to safeguarding it against internal and external threats.”