Introduction
What happens after your company is the subject of a data security breach? Washington’s RCW 19.255 imposes specific obligations on employers following a security breach involving personal information. Employers must act swiftly to notify affected individuals and, in certain cases, the Attorney General. This post outlines those core responsibilities and compliance best practices.
- Who Must Comply and What Triggers Obligations
- The law applies to any person or business conducting business in Washington state that owns, licenses, or possesses personal information included in computerized data files. A breach occurs when there is unauthorized acquisition that compromises the security, confidentiality, or integrity of that information.
- “Personal information” includes combinations such as a resident’s name in conjunction with SSN, driver’s license, account number with access codes, full date of birth, private electronic signature keys, IDs, medical history, and biometric data. It also covers usernames or email addresses with passwords or security question/answer combinations.
- Notification to Affected Individuals
Timing Requirements
- Employers must notify the affected individuals in the most expedient time possible, without unreasonable delay, and no more than 30 days after discovering the breach. While a quick response is a requirement Employers should consult with legal counsel before sending out their notification.
The notification must be written in plain language and include:
- The name and contact details of the reporting entity,
- The types of personal information involved,
- The known timeframe of exposure, including breach and discovery dates, and
- Toll‑free numbers and addresses for major credit reporting agencies.
Special Cases
- If the breach involves usernames and/or passwords, the employer must notify the individuals to promptly change their password/security questions and secure other accounts using the same credentials.
- If an employee’s work email credentials are breached, notice cannot be sent to that email, it must be delivered via an alternative channel.
- Employers can delay notification if law enforcement deems it would impede an investigation or if necessary to assess breach scope and restore system integrity.
- Notification to the Attorney General
If a breach affects more than 500 Washington residents, employers must also notify the Attorney General’s Office within 30 days of discovering the breach.
AG Notice Requirements include:
- The number of Washington residents affected (or an estimated count),
- The types of personal information involved,
- A timeline of exposure and discovery,
- A summary of containment or mitigation steps taken, and
- A single sample of the consumer notification (redacted of personal data).
If any of that information was unknown at the time of initial notice, employers must provide updates to the Attorney General.
- Core Compliant Steps for Employers:
- Assess the breach immediately upon discovery.
- Notify your legal team of the breach.
- Work with your legal team to prepare a clear, plain‑language notice for affected individuals.
- Deliver the notice within 30 days, via appropriate channels.
- If more than 500 Washington residents are affected, compile and submit a notice to the Attorney General.
- Remain prepared to update the Attorney General with any new information.
- Document all steps taken to demonstrate compliance in case of inquiry.
- Why Compliance Matters
Failing to notify affected individuals or the Attorney General, or providing incomplete or delayed notification, can result in enforcement actions by the Attorney General or private legal action by affected individuals under consumer protection laws.
To learn more about Washington’s Employer Legal Responsibilities, please contact Beresford Booth at info@beresfordlaw.com or by phone at (425) 776-4100.