Washington attorney general’s data breach notification bill unanimously approved in Senate

Today, Washington Attorney General Bob Ferguson’s legislation strengthening the state’s data breach notification law passed the state Senate, 47 to 0.

Today, Washington Attorney General Bob Ferguson’s legislation strengthening the state’s data breach notification law passed the state Senate, 47 to 0.

It passed the House of Representatives March 4, 97 to 0. The bill now heads to Governor Jay Inslee for his signature.

“I’m thrilled to see the Legislature agree on these common-sense updates to our law,” Ferguson said. “Nearly every day, we hear of another troubling compromise of sensitive personal information. Protecting consumers is one of my top priorities, and the sooner they know their data has been compromised, the more they can do to minimize that damage.”

The legislation strengthens Washington’s data breach notification law by:

  • Eliminating the blanket exemption for encrypted data;
  • Requiring consumer notification as immediately as possible and no later than 45 days whenever personal information is likely compromised;
  • Requiring that the Attorney General be notified within 45 days when a data breach occurs at a business, non-profit or public agency, enabling the Attorney General to compile centralized information about data breaches for law enforcement and consumers; and
  • Requiring businesses, non-profits and agencies, when reporting a breach, to provide consumers with basic information they can use to help secure or recover their identities.

The senate version, Senate Bill 5047, is sponsored by Sen. John Braun, R—Centralia.

“Identity theft is becoming more common and can have serious impacts on peoples’ lives,” said Braun. “I’m pleased that my colleagues joined me in supporting this legislation, which would empower consumers with access to timely information to understand what they can do if their sensitive data have been compromised.”

The House version of the Attorney General’s agency-request legislation, House Bill 1078, is sponsored by Rep. Zack Hudgins, D—Tukwila.

“Cybercrime gets more sophisticated every day, but it’s been nearly a decade since our data breach notification law had any update,” Hudgins said. “Consumers need these tools to protect themselves when data breaches occur. I hope this robust discussion of cybersecurity continues.”

Every year, data breaches imperil the personal and financial information of millions of consumers across the nation. Sophisticated hackers attack businesses, non-profits, and public agencies of all sizes, accessing vast troves of consumer information with each breach.

In 2012 alone, the most recent year that federal Bureau of Justice Statistics data are available, 16.6 million Americans — some 7 percent of those age 16 or older — were victims of identity theft. According to the Online Trust Alliance, in 2013 there were 2,164 data breaches in which over 830 million records were exposed, including credit card numbers, email addresses, login credentials, Social Security numbers and other personal information.

Current state law regarding data breaches does not adequately protect consumers in this new age of massive database theft. It does not require notifications concerning the release of “encrypted” data, even when the encryption is easy to break or there is reason to believe that the encryption “key” has been stolen. Current law does not specify a deadline by which consumers must be notified nor does it require entities to provide consumers with information on how to protect themselves in the wake of a breach.

Finally, unlike other states, Washington state law does not require any centralized reporting to the state when a data breach occurs, resulting in a lack of robust information for law enforcement and consumers.