January 2016 Bar Bulletin
Skip Navigation Links
CLE / Education
For Lawyers
Legal Help
Special Programs
MyKCBA Login

January 2016 Bar Bulletin

Safeguarding Personal Information: What Washington Businesses Need to Know about Data Security Standards

By Charles E. Harris II, Laura R. Hammargren, and Rebecca M. Klein


It was recently reported that, prior to the end of the year, there had been 717 data breaches in 2015, exposing an estimated 176 million records. Thirteen of the breaches targeted Washington-based organizations.1

The hefty financial costs and reputational harm that usually attend these attacks have raised awareness about the importance of data security at the highest levels in organizations. But, with no national law establishing mandatory, uniform data security measures, many organizations are unsure about whether they are legally required to employ specific safeguard standards.

This article discusses safeguard standards under: (i) federal law; (ii) the Revised Code of Washington (RCW); and (iii) laws from other states. The article also discusses certain established data security standards and why Washington entities — even those subject to statutory safeguard standards — might consider complying with one of these standards.

U.S. businesses in only a few sectors have traditionally been subject to specific data security standards under federal law. The two primary examples are “financial institutions” and companies that handle health care information. If a business is not part of or dealing frequently with these sectors, there are generally no specific safeguard standards that a business must implement pursuant to federal statute.

Some state statutes, however, require specific safeguards for companies that do business in the state or that handle personal information of the state’s residents. Moreover, companies may be contractually required to implement specific data security standards. For example, credit card brands, including Visa, MasterCard, American Express and Discover, require businesses that store and transmit payment card data to comply with the Payment Card Industry Data Security Standard (PCI-DSS).

Industry-Specific Federal
Data Security Standards

Financial Institutions

The Gramm-Leach-Bliley Act (GLBA)2 declared it a public policy that each “financial institution” has an affirmative obligation to “protect the security and confidentiality of [its] customers’ nonpublic personal information.”3 A “financial institution” under the GLBA includes any entity “engaging in financial activities.”4

The GLBA does not contain specific data security standards. Instead, it tasks certain federal and state agencies with establishing appropriate standards for financial institutions subject to their jurisdiction.5

The FTC, for example, promulgated the “Safeguards Rule” under the GLBA.6 The Safeguards Rule, which applies to any business covered by the GLBA that is “significantly engaged” in providing financial products or services,7 mandates that these businesses develop a written information security program (or WISP) containing the following elements:

• Identification and assessment of the risks to customer information in relevant company operations, and evaluation of the effectiveness of the current safeguards;

• Implementation of safeguards to control the risk identified in the assessment;

• Regular testing and monitoring of the WISP’s effectiveness;

• Oversight of the handling of customer information by service providers and the selection of service providers that can maintain appropriate safeguards;

• Evaluation and adjustment of the program in light of relevant circumstances, including changes in operations or the results of security testing and monitoring; and

• Establishment of procedures to properly dispose of personal information.8, 9

Businesses in the Health Care
or Medical Industry

...login to read the rest of this article.

Return to Bar Bulletin Home Page

KCBA Twitter Logo KCBA Facebook Logo KCBA LinkedIn Logo KCBA Email Logo

King County Bar Association
1200 5th Ave, Suite 700
Seattle, WA 98101
Main (206) 267-7100
Fax (206) 267-7099

King County Bar Foundation Home Page

Charitable Arm of the Bar

Jewels Page

Pillars of the Bar Page

All rights reserved. All the content of this web site is copyrighted and may be reproduced in any form including digital and print
for any non-commercial purpose so long as this notice remains visible and attached hereto. View full Disclaimer.