Washington’s Breach Law Amended, Effective March 20, 2020
Posted on May 9, 2019
Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has been expanded to include name and date of birth, making Washington only the second state (North Dakota being the other) with this element in its law. Also included are name and student and military ID number, passport number; name and health insurance numbers or medical information; and name and biometric information. Also included in the definition of personal information are now login credentials.
In addition to expanding the definition of personal information, the law will also require notification to impacted individuals and the attorney general (if move than 500 residents have been impacted) by 30 days, rather than the current 45. When providing notice, companies will also need to explain the “time frame of exposure,” in addition to existing content requirements (like the types of information impacted).
PUTTING IT INTO PRACTICE: Companies will have time before the Washington amendment goes into effect, but should keep in mind that beginning next year the scope of personal information has been broadened in Washington, and that the time frame for notification will be shortened to 30 days.
US State Breach Law Modifications Begin in 2019 with Massachusetts
Posted on March 11, 2019
Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11, 2019. As most know, already under MA’s breach notice law, companies that suffer a breach that impacted Massachusetts individuals are obligated to tell the MA AG. As part of that notice, they needed to explain the nature of the breach, number of residents impacted, and mitigation steps taken. Now, the MA AG will also need to be told if the company has a written information security program, as well as greater detail about the breach itself. These details include the person responsible for the breach of security, if known, as well as the name and title of the person reporting the breach and relationship to the entity that was breached. A sample copy of the notice sent to consumers also needs to be provided to the MA AG. That sample notice will be posted on the MA AG website within one day of receipt, provided that doing so does not “impede an active investigation” by either the MA AG or other law enforcement agency. The law also provides additional requirements on the AG to post information to its website about breaches.
The amendment will also impact the provision of credit monitoring services, which will be required for breaches impacting certain types of sensitive information. This mirrors requirements in other jurisdictions including California and Connecticut. Monitoring has to be provided for free, for 18 months (42 months if the entity is a credit reporting agency), and individuals cannot be required to waive their right to a private right of action in order to receive the credit monitoring. When filing the notice of breach with the MA AG, companies must certify that they are in compliance with these credit monitoring provisions.
Also added to the notice requirements are changes to the notice to consumers. Namely, that companies cannot delay notice because they do not yet know how many Massachusetts residents have been impacted. Instead, notice should be provided on a rolling basis as the company discovers (if the company discovers) that additional people were impacted. Additionally, the company that suffered a breach is owned by a parent company, the notice to the individual needs to include the name of that parent.
PUTTING IT INTO PRACTICE: Massachusetts will likely not be the only state to amend its breach notice requirements in 2019. Of note are the credit monitoring provisions as well as the additional detail that needs to be provided to the MA AG. As a reminder, there is no threshold number of impacted MA residents that triggers the AG notice requirement.
Eye on Privacy 2019 Year in Review 24