2018 report also details Ferguson’s recommendations to strengthen Washington’s data breach notification law
OLYMPIA — Attorney General Bob Ferguson’s third annual Data Breach Report finds that data breaches affected nearly 3.4 million Washingtonians between July of 2017 and July of 2018 — an increase of 700,000, or 26 percent, over the previous year, and an increase of nearly 3 million, or more than 700 percent, compared to two years ago.
The law requires notice to the Attorney General when a breach impacts 500 or more Washingtonians, and the Attorney General’s Office received 51 such notices in fiscal year 2018. Ferguson’s report finds that malicious cyberattacks continue to be the leading cause of data breaches affecting Washingtonians.
In light of these trends, Ferguson’s report recommends a number of ways to strengthen Washington state’s data breach notification law.
“The number of Washingtonians impacted by data breaches increased for the second consecutive year,” Ferguson said. “We must strengthen our law to help Washingtonians secure their sensitive information.”
Ferguson’s report identifies several deficiencies in Washington state’s data breach notification law. For example, Washington’s law does not cover several types of sensitive information. If a malicious hacker obtains the combination of a Washingtonian’s email address and password, the law does not require anybody to notify that Washingtonian. Washington’s law also fails to ensure notice to Washingtonians when a breach exposes their tax ID number, passport number, health insurance policy number or DNA profile.
Furthermore, Washington state law allows too much time before a government agency or business that has discovered a breach must notify affected Washingtonians.
Ferguson’s report makes the following recommendations to strengthen Washington’s data breach notification law:
- Reduce the deadline to notify affected individuals of a breach to 30 days after the breach is discovered;
- Require preliminary notification to the Attorney General’s Office of a breach within 10 days after the breach’s discovery; and
- Expand the definition of personally identifiable information to include full dates of birth, usernames in combination with passwords, digital signatures, DNA profiles or other forms of biometric data, and identification numbers from passports and other sources.
Ferguson will introduce Attorney General request legislation in 2019 that will make these improvements to state law.
Ferguson’s work on data breaches
In 2015, Attorney General request legislation updated Washington’s data breach notification statute, closing a loophole that allowed most Washington state businesses to avoid the notice requirements. Washington’s law now requires businesses and governments to notify the Attorney General’s Office after suffering breaches affecting the personal information of at least 500 Washingtonians. At the time, Washington law did not provided a deadline for notifying affected Washingtonians. Ferguson proposed requiring notice to affected Washingtonians within 30 days of the discovery of a breach, but the Legislature extended this deadline to 45 days.
Attorney General Ferguson has been taking action to protect Washingtonians when companies fail to reasonably secure data or provide timely notice regarding breaches. In November of 2017, the Attorney General’s Office filed a multi-million-dollar consumer protection lawsuit against ride sharing company Uber for failing to disclose a data breach that compromised the names and driver’s license numbers of nearly 13,000 Uber drivers in Washington. Uber failed to notify affected drivers and the Attorney General’s Office of the breach within 45 days. The company waited roughly 372 days to provide notice. As a result of Ferguson’s lawsuit, Uber will pay $5.79 million to Washington state, which includes $170 for nearly 13,000 impacted drivers.
The Uber data breach also compromised the login, encrypted password and some geolocation information for nearly 50 million riders worldwide. However, Washington’s data breach statute does not currently cover this type of information.
Ferguson’s office has required several corporations, including Target Corporation, that experienced breaches that impacted Washingtonians’ privacy to enter into legally-enforceable agreements to improve their data security.
More information about data breaches in Washington, including the individual data breach reports submitted to the Attorney General’s Office, is available at www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
The Office of the Attorney General is the chief legal office for the state of Washington with attorneys and staff in 27 divisions across the state providing legal services to roughly 200 state agencies, boards and commissions. Visit www.atg.wa.gov to learn more.
Dan Jackson, Acting Communications Director, (360) 753-2716; DanJ1@atg.wa.gov