As a business, you serve an important role in helping protect personal information. The following resources can help:
Federal Trade Commission
Washington State Laws
Sharing of Information Relevant to Identity Theft: If a business has information relating to identity theft and may have done business with the thief, the business must provide, upon the request of the victim, copies of all relevant information. Before providing the requested information, businesses may require the victim to verify his or her identity. Businesses may require proof of identity and charge reasonable fees for providing the information. Businesses may require:
- A government issued photo identification card.
- A copy of a police report.
- A written statement from the State Patrol documenting that the victim's identity has been verified.
A business that shares information with others for the purpose of aiding identity theft victims or assisting law enforcement will not be subject to civil or criminal liability if done in good faith.
A business may decline to provide the information when, in good faith and reasonable judgment, it determines that the law does not require the disclosure of the information.
A business that fails to disclose information may be in violation of the Consumer Protection Act. A consumer harmed by such a violation may be awarded actual damages, or, in the case of willful violations, punitive damages of up to $1,000, costs and reasonable attorney's fees.
Reporting Data Breaches: There are actually two data breach notification laws. RCW 19.255.010 applies to businesses. RCW 42.56.590 applies to local and state agencies. The content is essentially the same. The laws require businesses, agencies and individuals to notify Washington residents affected by a security breach of computerized, unencrypted data that includes personal information. Disclosure must be made in " unreasonable delay, consistent with the legitimate needs of law enforcement". That includes written notice, electronic notice or "substitute" forms including news media and the business or agency Web site. This indirect notice is allowed when the cost of providing notice would exceed $250,000, or more than 500,000 people were affected by the breach, or the person or business does not have sufficient contact information. For additional information, read the statutes.
Safely Disposing of Personal Information: Washington State law (RCW 19.215) requires businesses to “take all reasonable steps to destroy, or arrange for the destruction of, personal financial and health information and personal identification numbers issued by government entities.”