Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Within 30 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection & Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach Notification Laws:
- Consumer & Attorney General may bring an action

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Businesses must notify affected Washington residents within 30 days after discovery of a breach of security involving their personal information.
  • Specific information must be included in the consumer notification.
  • If a breach affects more than 500 residents, breach notification must be made within 30 days to the State Attorney General.
  • Specific information must be included in the Attorney General breach notification, including a summary of steps taken to contain the breach and a sample copy of the consumer notification.
  • For breaches involving online account personal information (username or email and password/security question), consumer notification may be provided in electronic form informing consumers of the incident and directing them to change their password/security question/answer that may have been compromised. If the breach affects an email account, notification must be sent to the individual through a means other than the affected email address.
  • If a vendor is breached, they must immediately notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individual must be notified based on the breach notification laws of the jurisdiction where they reside.
  • For violations of the notice of breach requirements, consumers may bring a civil action to recover damages, and the Attorney General may bring an action in the name of the state or no behalf of affected state residents.
  • Washington has regulations specific to the collection, use, disclosure and protection of individual’s biometric identifiers.
  • Businesses must contract with vendors to whom they disclose personal information containing biometric identifiers.
  • Businesses must have procedures in place for the secure destruction and proper disposal of records containing personal information.
  • Individuals injured by the failure of an entity to comply with data disposal requirements may bring a civil action to recover damages. The Attorney General may also bring an action for damages, injunctive relief, or both.
  • Entities handling personal health information and student data must comply with additional protection and disclosure requirements.
  • Sector-specific laws (health, education) provide for an individual’s right to access their personal information.
Statutes and Laws
  • Wash. Rev. Code Ch. 19.255  Personal Information – Notice of Security Breaches
  • Wash. Rev. Code Ch. 19.215  Disposal of Personal Information
  • Wash. Rev. Code Ch. 19.375 Biometric Identifiers
  • Wash. Rev. Code Ch. 28A.604 Student user privacy in education rights
  • Wash. Rev. Code § 28A.605.030 Student education records – Parental review – Release of records
  • Wash. Rev. Code Ch. 70.02 Medical Records – Health Care Information Access and Disclosure
BAck to map