Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Within 30 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection & Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach Notification Laws:
- Consumer & Attorney General may bring an action
None to minimal
Businesses must notify affected Washington residents within 30 days after discovery of a breach of security involving their personal information.
Specific information must be included in the consumer notification.
If a breach affects more than 500 residents, breach notification must be made within 30 days to the State Attorney General.
Specific information must be included in the Attorney General breach notification, including a summary of steps taken to contain the breach and a sample copy of the consumer notification.
For breaches involving online account personal information (username or email and password/security question), consumer notification may be provided in electronic form informing consumers of the incident and directing them to change their password/security question/answer that may have been compromised. If the breach affects an email account, notification must be sent to the individual through a means other than the affected email address.
If a vendor is breached, they must immediately notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
If a breach affects residents of other jurisdictions, those individual must be notified based on the breach notification laws of the jurisdiction where they reside.
For violations of the notice of breach requirements, consumers may bring a civil action to recover damages, and the Attorney General may bring an action in the name of the state or no behalf of affected state residents.
Washington has regulations specific to the collection, use, disclosure and protection of individual’s biometric identifiers.
Businesses must contract with vendors to whom they disclose personal information containing biometric identifiers.
Businesses must have procedures in place for the secure destruction and proper disposal of records containing personal information.
Individuals injured by the failure of an entity to comply with data disposal requirements may bring a civil action to recover damages. The Attorney General may also bring an action for damages, injunctive relief, or both.
Entities handling personal health information and student data must comply with additional protection and disclosure requirements.
Sector-specific laws (health, education) provide for an individual’s right to access their personal information.
Statutes and Laws
Wash. Rev. Code Ch. 19.255 Personal Information – Notice of Security Breaches
Wash. Rev. Code Ch. 19.215 Disposal of Personal Information
Wash. Rev. Code Ch. 19.375 Biometric Identifiers
Wash. Rev. Code Ch. 28A.604 Student user privacy in education rights
Wash. Rev. Code § 28A.605.030 Student education records – Parental review – Release of records
Wash. Rev. Code Ch. 70.02 Medical Records – Health Care Information Access and Disclosure