Washington State Legislature passed a set of amendments to Washington’s data breach notification statutes for businesses and government agencies. 

Key updates are:

1. Timing for notice of data breach to both consumers and the Attorney General was changed, from 45 days to 30 days. The existing exception for law enforcement delays remained.

2. The definition of personal information was updated. The amendments expand the types of personal information that, if breached, trigger an obligation to notify consumers. Additions include full names and in combination with:

  • social security number
  • driver's license
  • account number, credit or debit card number together with security or access code or password
  • full date of birth
  • private key for electronic signatures
  • student, military or passport ID number
  • health insurance numbers
  • medical information
  • biometric data

3. More notice requirements around login credentials, requiring businesses to prompt users to change their passwords and take appropriate measures to protect their privacy. 

4. Businesses will be required to include information on the length of time of exposure. Furthermore, the notice to the Attorney General will need to include types of personal information involved, length of time of exposure and containment steps. 

Once signed, the amendments to the bill will take effect March 1, 2020.