Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Within 45 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection & Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach Notification Laws:
- Attorney General may bring an action
None to minimal
Specific defined information that must be included in the consumer notification.
Breach reporting must be made without unreasonable delay, but within 45 days, to the state attorney general, if notification is required to more than 500 residents.
Consumers may institute civil action to recover damages. The business may be enjoined. The attorney general may take additional action.
For violations of the notice of breach laws, the attorney general may bring an action in the name of the state, or on behalf of persons residing in the state.
For failing to take reasonable precautions against breach, the processor, business, or vendor is liable to a financial institution for reimbursement of costs related to the reissuance of credit cards and debit cards and possible future damages.
Individuals injured by the failure of an entity to comply with data disposal laws or notice of breach laws may bring a civil action to recover damages.
Separate laws govern the protection of student and health data.
If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
Wash. Rev. Code §§ 19.255.010-19.255.020 Personal Information – Notice of Security Breaches
Wash. Rev. Code §§ 19.215.005-19.215.030 Disposal of Personal Information
Wash. Rev. Code § 63.14.123 Restrictions on electronically printed credit and debit card receipts
Wash. Rev. Code § 19.200.010 Automated Financial Transactions / Restrictions on credit and debit card receipts
Wash. Rev. Code § 28B.10.042 Personal identifiers—Use of social security numbers prohibited