Careers

Diversity, Equity & Inclusion

Experience

Innovation

Interactive Maps

Locations

About

Pages

Meet our team of innovators
Ask us how we do it

Professionals

Insights

Services

Thompson Hine LLP, a full-service business law firm with approximately 400 lawyers in 8 offices, was ranked number 1 in the category “Most innovative North American law firms: New working models” by The Financial Times and was 1 of 7 firms shortlisted for The American Lawyer’s inaugural Legal Services Innovation Award. The firm has been recognized by the National Law Journal as a Legal Technology Trailblazer and featured by Bloomberg for its innovative service delivery models, which drive accuracy and predictability. The firm’s commitment to innovation is embodied in Thompson Hine SmartPaTHTM – a smarter way to work – predictable, efficient and aligned with client goals. For more information, please visit ThompsonHine.com and ThompsonHine.com/SmartPaTH.

Home | Thompson Hine LLP

Atlanta

Chicago

Cincinnati

Cleveland

Columbus

Dayton

Los Angeles

New York

Washington, D.C.

core/separator

core/heading

core/list

A relatively new development in state data breach law is the expansion of the circumstances in which organizations must issue data breach notifications, accompanied by an acceleration of the timeframes in which they must do so. Washington state accomplished both when its governor recently signed HB 1071 into law.

contentpilot/introduction

Washington’s law will come into force in 2020, and businesses should consider creating, implementing and testing data incident response plans against the heightened standards set forth in HB 1071, as this trend in data breach notification laws will likely continue among other states.

core/paragraph

In 2005, Washington enacted its data breach notification law, which applies to “[a]ny person or business that conducts business” in Washington and that “owns or licenses data that includes personal information” on Washington residents. The current law also applies to individuals or organizations that maintain (but do not own) personal information, while HB 1071 will extend applicability to organizations that “possess[ ],” but otherwise do not own or license, such data.

At its core, Washington’s law requires certain organizations to notify “any resident” of Washington if his or her personal information was, or is reasonably believed to have been, subject to a data breach. The current law contains exceptions to the notification requirement if the data breach “is not reasonably likely to subject consumers to a risk of harm” or was inadvertently acquired “in good faith.” HB 1071 will not alter either of these existing exceptions. Similarly, HB 1071 does not amend the current law’s exclusion of information that is encrypted in a manner that meets, or exceeds, the standards set forth by the National Institute of Standards and Technology, or is otherwise rendered as unreadable, unusable or undecipherable

On the other hand, HB 1071 will clarify how a data breach notification may be provided to impacted individuals and the types of information that must be disclosed to the state’s attorney general (if notification is otherwise warranted by the size and nature of the breach).

Expanding the Class of Reportable Breaches

The underlying purpose of any data breach notification law is to enable victims to undertake measures that reduce the probability their compromised information will be used to commit identify theft or other harm. For example, criminals can exploit an individual’s stolen personal information to create new financial accounts, issue fraudulent identity documents, and even submit falsified tax records to seek government-issued refunds.

Accordingly, the majority of U.S. data breach notification laws define “personal information” in terms of an individual’s name, in connection with his or her (i) Social Security number, (ii) driver’s license or other state identification card number, or (iii) certain financial information. Given the sensitivity of personal information and the harm that may result from its unauthorized access or acquisition, state data breach laws generally require organizations to notify individuals if this information is compromised.

Of particular importance, HB 1071 expands the definition of personal information beyond the above mentioned three categories to include, among others, the following types of data:

HB 1071 also defines personal information as any of these data elements disconnected from an individual’s name, if the data is not encrypted, redacted or otherwise rendered unusable, and the data “would enable a person to commit identity theft against a consumer.”

Washington state joins North Dakota in providing one of the few domestic legal frameworks that includes a person’s date of birth in the definition of personal information – the compromise of which may result in a notification obligation and potential liability. This raises particular concerns in terms of data breach risk, given how broadly organizations can access and retain this information. For example, individuals often post information about their birthday on social media platforms, and office “birthday parties” have become commonplace. Although the Washington law provides an exception for publicly available information, this exception only applies if the information was lawfully made public from federal, state or local government records (and not by the individual).

Thus, an organization subject to Washington’s data breach law will have to notify an individual if his or her name and date of birth (or any other data element identified above) are compromised in a breach.

The earlier that victims of a data breach are notified, the sooner they can take steps to mitigate the risk of harm. Accordingly, HB 1071 defines and limits the timeframe in which an organization must notify a Washington resident of a data breach. Under the current law, if an organization must notify an affected consumer or the attorney general of a data breach, it must do so “in the most expedient time possible and without unreasonable delay,” but in “no more than forty-five calendar days after the breach was discovered,” unless an exception delineated in the law applies. Pursuant to HB 1071, these notifications must be issued “in the most expedient time possible without unreasonable delay, and no more than thirty calendar days after the breach was discovered,” unless an exception applies.

Washington’s law follows other states’ recently enacted or amended data breach response laws. For example, Colorado’s amended law, which went into force in 2018, provides the same 30-day breach notification timeframe. Of course, these timeframes are substantially different from those imposed by the European Union’s General Data Protection Regulation as well as certain requirements governing financial services that require data breach notifications to occur within 72 hours of the incident.

Preparing for the Worst: Data Breach Response Plans and Best Practices

Businesses should establish and continuously test their data breach response plans as a best practice, as well as to account for their evolving data privacy and cybersecurity requirements. Often, a data breach response plan addresses:

Not only is an effective data incident response plan needed to ensure organizations are in compliance with data breach notification laws, it is essential for minimizing reputational damage and other costs that may result from a data breach.

Thomas F. Zych 216.566.5605 <a href="mailto:Tom.Zych@ThompsonHine.com">Tom.Zych@ThompsonHine.com</a>

Steven G. Stransky 216.566.5646 <a href="mailto:Steve.Stransky@ThompsonHine.com">Steve.Stransky@ThompsonHine.com</a>

Mona Adabi 202.263.4147 <a href="mailto:Mona.Adabi@ThompsonHine.com">Mona.Adabi@ThompsonHine.com</a>

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.

https://admin.thompsonhine.com/wp-content/uploads/2022/04/Privacy__Cybersecurity_Update_-_Washingtons_New_Data_Breach_Law_Follows_Enhanced_Privacy_Protection_Trends.pdf

Washington’s New Data Breach Law Follows Enhanced Privacy Protection Trends

Services