Washington State

Office of the Attorney General

Attorney General

Bob Ferguson

HB 1071 FAQ Table of Contents
Note: The Attorney General’s Office cannot give legal advice to private individuals or business owners. It is our practice, however, to provide members of the public with information of a general nature whenever possible. For more specific answers and clarification about how Washington law might apply to you and your specific situation, you are encouraged to consult the law itself, and/or legal counsel.

1. What are the Washington State Data Breach Notification laws?
Washington has two data breach notification laws. One is specific to government agencies and the other is specific to the private sector.
  1. RCW 19.255 applies to individuals and businesses.
  2. RCW 42.56.590 applies to local and state agencies.
These laws require individuals, businesses, and public agencies to notify Washington residents in the event that:
  • Their personal information is (or is believed to have been) acquired by an unauthorized individual; and
  • The resident’s personal information was not secured (i.e. encrypted); and
  • The breach of the security of the system is reasonably likely to subject consumers to a risk of harm.
This notice protects consumers by providing them with the facts needed to monitor and protect their personal information – such as the date of the breach, and the data that was accessed.

For more information on the specific provisions of these laws, you can visit our website here:
Identity Theft and Privacy Guide for Businesses

You can also find information about Washington’s data breach and data security laws, and how they compare to other states, in our office’s most recent annual Data Breach Report, which you can find here:
Data Breach Notifications
2. What is HB 1071?
During the 2019 Legislative Session the Attorney General proposed request-legislation to strengthen Washington’s Data Breach Notification laws. HB 1071 was sponsored by Representative Shelly Kloba. Senator Joe Nguyen sponsored a companion bill in the Senate. HB 1071 passed unanimously out of both chambers of the Legislature, and was signed into law by Governor Jay Inslee on May 7, 2019.

You can find additional information on HB 1071’s path through the Legislature on the official Washington State Legislature website, here:
HB 1071 (2019-20)

HB 1071’s revisions to the laws go into effect on March 1, 2020.
3. What changes does HB 1071 make to the definition of “personal information?”
Prior to HB 1071, “personal information” was defined as someone’s first name or first initial and last name in combination with any of the following data elements:
  • Social Security number; or
  • Driver’s license number or Washington identification card number; or
  • Account number or credit or debit card number, in combination with any required security code, or password that would permit access to their account.
HB 1071 expands the definition of “personal information” to include:
  • First name or initial and last name in combination with one or more of the following:
    • Social Security number;
    • Driver’s license number or Washington identification card number;
    • Account number or credit or debit card number, in combination with any required security code, or password that would permit access to their account
    • Full date of birth;
    • Private keys for electronic signature;
    • Student, military, or passport identification numbers;
    • Health insurance policy or identification numbers;
    • Medical information, including medical history, mental or physical condition, diagnoses, or treatment; and
    • Biometric data.

  • Any of the above elements, not in combination with first name or initial and last name, if the affected data was not rendered unusable via encryption or redaction and would enable a person to commit identity theft against the consumer.

  • Username and email address in combination with a password or security questions and answers that would permit access to an online account.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
4. What changes does HB 1071 make to the notification that is sent to Washington residents?
HB 1071 expands the information required in notices to residents of Washington State. Starting March 1, 2020, all notifications to residents must include:
  • If known, a time frame of exposure, including the date of the breach and the date of the breach’s discovery;

  • If the breach involves a resident’s username and password, the notice must inform the resident that they should promptly change their password and security question or answer, and/or take other appropriate steps to protect their online account(s), including those not associated with the breached entity, that use the same email address, password, or security question or answer.

  • If the breach involves a resident’s login credentials for an email account, the breached entity may not provide the breach notification to the resident via that email address.
5. What changes does HB 1071 make to the notification sent to the Attorney General’s Office?
Notice of a breach must be provided to the Attorney General’s Office when the breach affects more than 500 Washingtonians. These notices can be sent to our office electronically at SecurityBreach@atg.wa.gov.

HB 1071 expands the information required in these notices. Effective March 1, 2020, all notices to our office must include:
  • A list of the types of personal information that were or are reasonably believed to have been breached;
  • If known, the time frame of exposure, including the date of the breach and the date of the discovery of the breach;
  • A summary of steps taken to contain the breach; and
  • A copy of the breach notification sent to affected residents.
HB 1071 also requires that breached entities provide updates to the Attorney General’s Office for any of the above information that was unknown at the time notice was due.
6. When are notices to affected residents and the Attorney General’s Office due?
Starting March 1, 2020, notices to affected residents and to the Attorney General’s Office must be made “in the most expedient time possible, without unreasonable delay,” and no later than 30 calendar days after the breach was discovered.

State agencies may delay notification to residents up to an additional 14 days to allow the notice to be translated into the primary language of the affected resident.

Businesses and individuals may not delay notice, unless:
  • Law enforcement is contacted after discovery of the breach, and the law enforcement agency determines that notification will impede a criminal investigation; or

  • The delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Data security breach notifications sent to the Attorney General’s Office are available for review online, here:
Data Breach Notifications
7. When do the changes in HB 1071 go into effect?
All of HB 1071’s revisions to the laws go into effect on March 1, 2020.
8. What can my business or agency do to prepare for these changes?
  • Identify if you hold data as defined by “personal information,” and where it is stored;

  • Assess whether you truly need to collect and store the “personal information” that is being held.

  • Develop policies for the collection, encryption, and use of “personal information.”

  • Properly dispose of any held “personal information” that is no longer of need to your business or agency;
    • Consider reviewing RCW 19.215, “Disposal of Personal Information” for more details.

  • Talk to your colleagues about the changes to the law;

  • Ensure your business or agency has an action plan in the event of a data breach.
    • This could including developing a dedicated Incident Response Team, or implementing automated security technologies to detect attempted breaches.