Washington State

Office of the Attorney General

Attorney General

Bob Ferguson

As a business, you serve an important role in helping protect personal information. The following resources can help:



Washington State Laws

Sharing of Information Relevant to Identity Theft: If a business has information relating to identity theft and may have done business with the thief, the business must provide, upon the request of the victim, copies of all relevant information. Before providing the requested information, businesses may require the victim to verify his or her identity. Businesses may require proof of identity and charge reasonable fees for providing the information. Businesses may require:

  1. A government issued photo identification card.
  2. A copy of a police report.
  3. A written statement from the State Patrol documenting that the victim's identity has been verified.

A business that shares information with others for the purpose of aiding identity theft victims or assisting law enforcement will not be subject to civil or criminal liability if done in good faith.

A business may decline to provide the information when, in good faith and reasonable judgment, it determines that the law does not require the disclosure of the information.

A business that fails to disclose information may be in violation of the Consumer Protection Act. A consumer harmed by such a violation may be awarded actual damages, or, in the case of willful violations, punitive damages of up to $1,000, costs and reasonable attorney's fees.

Security Breach Frequently Asked Questions

Reporting Data Breaches: Washington has two data breach notification laws. RCW 19.255.010 applies to individuals and businesses. RCW 42.56.590 applies to local and state agencies. The laws are essentially the same and require individuals, businesses, and public agencies to notify Washington residents who are at risk of harm because of a security breach that includes personal information. In general, notification must be made "in the most expedient time possible" and not more than 30 days after the breach was discovered. If a security breach affects more than 500 Washington residents, notification must also be provided to the Attorney General's Office, which can be done electronically at Data Breach Notification Web Form. For additional information and details, refer to the Frequently Asked Questions (FAQs) or read the statutes.

Data security breach notifications sent to the Attorney General’s Office are available for review at Data Breach Notifications

Safely Disposing of Personal Information: Washington State law (RCW 19.215) requires businesses to “take all reasonable steps to destroy, or arrange for the destruction of, personal financial and health information and personal identification numbers issued by government entities.”