Breach, Compliance Management, Data Security, Government Regulations, Privacy

Washington state legislature passes data breach law, but punts on privacy law


The Washington state legislature went one-for-two this month in its attempt to pass major data breach and privacy regulations.

Yesterday, lawmakers unanimously passed HB 1071, which firms up and expands requirements for public breach notifications, but the state apparently has failed to approve a sweeping new state privacy law, SB 5367, after the House declined to pass it by an April 17 deadline.

Sponsored by Rep. Shelley Kloba (D-Kirkland), HB 1071 shrinks the window businesses and government organizations have to notify consumers and the state's attorney general of a breach from 45 days to 30 days.

Under older law, businesses and government organizations only had to notify consumers of a breach if hackers acquired consumers' names in combination with one of four forms of personally identifiable information: Social Security numbers, driver's license numbers, state ID numbers or financial account information. But HB 1071 has greatly expanded this list of PII to include full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data.

"My office has seen the number of Washingtonians impacted by data breaches increase year after year," Ferguson said in a press release. "Data breaches are a serious threat to our privacy, and this law will arm consumers with information to protect their sensitive data."

The Washington Senate passed the legislation this week, after the House passed it back on March 1. Sen. Joe Nguyen (D-White Center) sponsored the companion bill in the Senate.

On the other hand, SB 5376, aka the Washington Privacy Act, fizzled in the state's House after the Senate passed the legislation with a 46-1 vote.

The bill was intended to be among the strongest privacy laws in the U.S., containing elements that were central to Europe's General Data Protection Regulation (GDPR). It would have granted consumers the rights to know who is using their data and why, the right to delete certain data, and the right to restrict the sale of data. The legislation also laid out steps companies must follow to boost the security of collected consumer information.

Reportedly, however, the bill ran into trouble in the House following calls from privacy advocates to strengthen the bill even further. Critics of the legislation reportedly expressed concern that the bill still permitted the public use of facial recognition technology, despite provisions to regulate its use. They also decried lawmakers' late attempt to revise the bill's language for the House -- a negotiation that included six Democratic lawmakers plus tech giants like Microsoft and Amazon, but only one Republican and no representatives from consumer advocate groups.

In an April 17 tweet, bill sponsor Sen. Reuven Carlyle (D-Seattle) said the Senate would push for action next year. "We built alignment that well-crafted, strong #dataprivacy is imperative to consumers and society," he wrote. "Unfortunately, House failed to pass privacy legislation this year. We're committed to 2020."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.