Choose Site


Tech & Sourcing @ Morgan Lewis


On April 23, Washington Governor Jay Inslee signed a bill that strengthens the state’s notification requirements in the event of a data breach. The new law makes it a violation of Washington’s Consumer Protection Act for a company to fail to notify state residents affected by a data breach, computerized or otherwise.

The measure—which goes into effect on July 24—will apply to people and companies doing business in Washington that own or license personal information of state residents. In the event of a security breach of a system storing such data, the new law requires covered entities to provide notice to affected individuals as soon as possible and no later than 45 days after the breach is discovered (unless otherwise requested by Washington law enforcement officials). However, if the data at issue in the potential breach is encrypted and does not include decryption keys or other similar ways to access the secured data, the notification requirements are waived subject to an analysis of the risk of likely harm. The law requires the breach notice to be written in plain language and include the type of information at risk and contact information for the appropriate credit reporting agencies.

In addition, the law requires such companies to notify the state attorney general of similar breaches and gives enforcement power to the Washington attorney general. The attorney general can bring actions on behalf of affected consumers or the state under Washington’s Consumer Protection Act, and covered entities could be liable for actual damages, costs, and fees in the form of treble damages up to $25,000.

Finally, the bill includes federal preemption language for those entities that have obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Graham-Leach-Bliley Act. So long as entities covered under those federal laws comply with applicable guidelines and notify the Washington state attorney general of such actions, they will be deemed in compliance with the requirements under the new Washington law.