Does Your Business Comply With Washington's Newly Amended Data Breach Notification Law?

Jun 22, 2015

By Olivia E. Gonzalez | Related Practices: Business, Employment and Litigation

Given the proliferation of high-profile data security breaches, 2014 was deemed the “year of the data breach” by various news and media sources.[1]  Mega-retailers such as Ebay, Target, and Home Depot were victims of sophisticated cyberattacks leading to the disclosure of millions of consumers’ personal information.  But large retail chains and financial institutions are not the only entities at risk; small businesses are just as vulnerable to large-scale security breaches of their information technology (IT) systems.

Consider the following scenarios:

  • A week after terminating the manager at your main office, you learn that before leaving, she saved hundreds of confidential files containing customer information to her personal laptop.  Disgruntled at having been terminated, albeit for cause, the former manager threatens to disseminate the private information she misappropriated.
  • A current employee borrows a company laptop for a business trip to California.  The computer is loaded with confidential client files, including files belonging to Washington clients, and employee payroll records.  After going through security and before boarding the plane, she misplaces the laptop.  Two weeks later, the computer is mailed to your home office stripped of its contents.  It was not password protected.
  • Cyberattackers executed an attack on your company’s IT system.  Although your in-house technology team is working on securing the network and “fixing” the problem, the situation has yet to be contained.  An ongoing investigation confirms that customer information, and maybe even employee information, has been accessed or stolen. 

Each of the scenarios above may trigger a business’ duty to inform clients, consumers, and employees of a data breach under RCW 19.255.010, Washington’s data breach notification law.  The law requires any person or business that conducts business in Washington to disclose unauthorized disclosure of “personal information” (PI).  PI is an individual’s first name or first initial and last name in combination with their 1) social security number, 2) driver’s license or Washington state identification card number, or 3) account, credit or debit card number along with the required security code or password.[2] 

RCW 19.255.010 was recently amended by House Bill 1078,[3] effective July 24, 2015, and imposes more stringent notification requirements on businesses that disclose PI without authorization.  Key elements of the new bill include:    

  • Broader coverage. The old statute covered only “computerized” data. The new bill expands coverage to hard copy data in addition to electronic or “computerized” data. 
  • 45-day notification deadline. The old statute required businesses to notify consumers “in the most expedient time possible and without unreasonable delay.” The new bill imposes a 45-day deadline from when the breach was discovered to notify affected individuals.  If more than 500 Washington residents are affected by the breach, notification must also be provided to the attorney general by the time the notice is provided to affected individuals.
  • Notification content requirements. Whereas the old statute did not contain specific notification content requirements, the new bill does.  Under the revised law, notice must include the name and contact information of the reporting person or business, a list of the types of PI subject to the breach, and the toll-free telephone numbers and addresses of consumer reporting agencies.
  • Exemption from notice requirement where there is no risk of harm.  The old statute did not require notification where there was “no risk of criminal activity.”  Under the revised law, the exemption is broader: notice is not required if the breach “it is not reasonably likely to subject consumers to a risk of harm.” 
  • Safe harbor for secured PI. The new bill introduces a safe harbor for PI that is “secured” or encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard “or is otherwise modified so that it is rendered unreadable, unusable, or undecipherable by an unauthorized person.”
  • Certain entities exempted. The new bill exempts entities covered under the federal Health Insurance and Accountability Act (HIPAA) or under the authority of federal regulators of the Gramm-Leach Bliley Act (GLBA) [4] from compliance if they otherwise comply with certain federal laws.  
  • Injured party may recover damages. Like the old statute, the new bill provides a private right of action for an injured party to recover damages.

A business’ failure to adequately notify affected individuals of a data breach may also implicate other federal and state laws.  For instance, HIPAA establishes both criminal penalties for violations of HIPAA’s statutory prohibitions and civil penalties for violations of its implementing regulations, including its Privacy Rule and its Security Rule.  A business may also face civil litigation from injured parties, including claims of negligence, breach of contract or infliction of emotional distress.  

Responding to a data breach can be stressful and costly.  A business stands to lose more than just data; its goodwill and reputation may also be affected.  Here are some ways you can protect your client, consumer and employee information from unauthorized access:

  • Make client, consumer and employee privacy a chief concern by implementing a risk management system.  While antivirus software and firewalls are a good start, they are insufficient to meet the requirements of a truly capable technological defense system.
  • Limit the collection and storage of client, consumer and employee PI to the least amount necessary for the accomplishment of your business’ objectives.  PI should be disposed of securely when the need for it has expired.
  • Develop a comprehensive incident response plan that defines the types of data breach incidents, identifies the individuals to be notified in the event of a breach and outlines each of their responsibilities, and provide a clear course of action in response to a breach.
  • Establish requirements and policies for data security in software installations, data outsourcing, cloud storage and vendor contracts.  Provide staff awareness and training programs on those requirements and policies.
  • Identify all mobile and portable devices that contain and transmit company data.  Develop controls governing the use of those devices, encryption of data and access protocols to the firm network.
  • Amend vendor contracts to require compliance with applicable data security regulations, especially if vendors are used by your business to process, store, transmit or destroy client, consumer and/or employee data.
  • Consider purchasing cyber liability insurance.

You may not be able to prevent every breach - hackers grow more sophisticated by the day. But robust policies and security systems, coupled with a response plan for swift response and notice to affected parties should a breach occur, can protect a business from a good part of the damages caused by data breach.

If you have specific questions about securing your company’s PI or complying with Washington’s data breach notification law in the face of data breach, contact one of the attorneys in the Stokes Lawrence Employment group.

 

[1] Jay Johnson, If 2014 Was the Year of the Data Breach, Brace for More, Forbes (January 2, 2015), http://www.forbes.com/sites/danielfisher/2015/01/02/if-2014-was-the-year-of-the-data-breach-brace-for-more; Bill Whitaker, What Happens When You Swipe Your Card, CBS News (November 30, 2014), http://www.cbsnews.com/news/sw... .

[2] RCW 19.255.010(5) (as amended effective July 24, 2015).

[3] H.B. 1078, § 2, 64th Leg., Reg. Sess. (2015)

[4] The GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.