Washington State Comprehensive Privacy Bill Loses Steam, Data Breach Law Amendment Heads to Governor’s Desk
As the legislative session drew to a close, what once seemed like an inevitability suddenly looked unlikely. The Washington Privacy Act, SB 5376/HB1854, failed to make its way through the legislative process. The Bill’s sponsor, Sen. Reuven Carlyle, called the game on April 17, tweeting that despite the “unprecedented 46-1 vote” in the Senate, “[u]nfortunately, House failed to pass privacy legislation this year. We’re committed to 2020.” Nevertheless, the State of Washington did pass notable privacy legislation, albeit on a more narrow topic.
On April 22, 2019, the Washington state legislature passed HB1071 (“the Bill”) to strengthen the state’s existing data breach notification law. The bill incorporates a few key amendments to Washington’s existing law:
Protection for more types of consumer information: The Bill imposes notification obligations when a consumer’s name is compromised along with any of the following information:
- Full date of birth;
- Electronic signatures;
- Certain identification numbers, including student ID numbers, military ID numbers, passport ID numbers or health insurance ID or policy numbers;
- Medical history information;
- Biometric data, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics; or
- Usernames or email addresses in combination with passwords or security questions and answers
Shorter Notification Timeframe: The Bill now requires covered entities to notify affected residents and the state Attorney General of a data breach no later than 30 days following discovery of the breach, unless the delay is at the request of law enforcement or due to any measures necessary to determine the scope of the breach and restore the integrity of the data system.
Reminders on Usernames and Passwords: If consumer usernames or passwords are breached, the notice to affected residents must instruct the affected consumer to change his or her password and security question or answer, or to take other appropriate steps to protect the online account.
The law was delivered to the desk of Governor Jay Inslee of Washington on April 26, where it is expected to be signed.