July 2015 Bar Bulletin
Washington's Amended Data Breach Notification Law
By Olivia Gonzalez
Is Your Business in Compliance?
Given the proliferation of high-profile data security breaches, 2014 was deemed the "year of the data breach" by various news and media sources.1
Mega-retailers such as eBay, Target and Home Depot were victims of sophisticated cyberattacks leading to the disclosure of millions of consumers' personal information. But large retail chains and financial institutions are not the only entities at risk; small businesses are just as vulnerable to large-scale security breaches of their information technology (IT) systems.
Consider the following scenarios:
- A week after terminating the manager at your main office, you learn that before leaving, she saved hundreds of confidential files containing customer information to her personal laptop. Disgruntled at having been terminated, albeit for cause, the former manager threatens to disseminate the private information she misappropriated.
- A current employee borrows a company laptop for a business trip to California. The computer is loaded with confidential client files, including files belonging to Washington clients, and employee payroll records. After going through security and before boarding the plane, she misplaces the laptop. Two weeks later, the computer is mailed to your home office stripped of its contents. It was not password protected.
- Cyber attackers executed an attack on your company's IT system. Although your in-house technology team is working on securing the network and "fixing" the problem, the situation has yet to be contained. An ongoing investigation confirms that customer information, and maybe even employee information, has been accessed or stolen.
Each of these scenarios may trigger a business's duty to inform clients, consumers and employees of a data breach under RCW 19.255.010, Washington's data breach notification law. The law requires any person or business that conducts business in Washington to disclose unauthorized disclosure of "personal information" (PI). PI is an individual's first name or first initial and last name in combination with their: (1) Social Security number, (2) driver's license or Washington state identification card number, or (3) account, credit or debit card number along with the required security code or password.2
...login to read the rest of this article.