New data breach protections go into effect March 2020

OLYMPIA — Recently Attorney General Bob Ferguson released his fourth annual Data Breach Report. The report shows that data breaches increased by nearly 20 percent in 2019. The report also shows that breaches affected fewer Washingtonians in 2019 due to the relative size of the breaches.

Ferguson’s Data Breach Report relies on filings from businesses and state agencies that experienced breaches between July 2018 and July 2019. Washington law requires businesses and state agencies to report breaches affecting at least 500 Washingtonians to the Attorney General. That requirement stems from the passage of Attorney General Ferguson’s data breach legislation in 2015.

2019 breach figures

Between July 2018 and July 2019, data breaches impacted 390,000 Washingtonians. This represents a significant decrease from 2018, when data breaches impacted 3.4 million Washingtonians, mainly due to a mega-breach reported that year by credit-reporting firm Equifax. That breach alone affected more than 3.2 million Washingtonians, and resulted in the largest-ever data breach enforcement action in United States history.

There were no mega-breaches affecting Washington residents in fiscal year 2019. However, the number of Washingtonians impacted by small to mid-size breaches more than doubled in 2019 — from 180,000 to 390,000.

The report does not include the Capitol One breach announced in late July, which affected an estimated 100 million people nationwide. Consequently, the number of Washingtonians affected by data breaches will likely be higher in next year’s report.

New protections for consumers

New consumer protections go into effect on March 1, 2020 thanks to the passage of Attorney General Request legislation in 2019.

“This report highlights that data breaches remain a serious threat to our privacy,” Ferguson said. “New data breach protections go into effect for Washingtonians soon. My office will continue to be a watchdog protecting Washingtonians’ privacy.”

Responding to trends identified in previous year’s data breach reports, Ferguson proposed agency-request legislation in 2019 to further protect Washingtonians. House Bill 1071 reduced the deadline to notify consumers and the Attorney General’s Office of a data breach from 45 to 30 days, and expanded the definition of “personally identifiable information” to include:

  • Tax ID numbers
  • Passport numbers
  • Health insurance policy numbers
  • Biometric data, such as fingerprints and DNA profiles
  • Medical history
  • Keys for electronic signatures
  • Student ID numbers
  • Military ID numbers
  • Usernames and email addresses

The bill passed both houses unanimously, and will go into effect March 1, 2020.

The report makes several recommendations to policymakers on how to better protect people’s data, including expanding the definition of “personal information” to include tribal identification numbers, and amending state law to require notification if financial information or Social Security Numbers are breached, even if the full names of the associated individuals are not breached.

Ferguson’s work on data breaches

In 2015, the Attorney General requested legislation updates to Washington’s data breach notification statute, closing a loophole that allowed most Washington state businesses to avoid the notice requirements. Washington’s law now requires businesses and governments to notify the Attorney General’s Office after suffering breaches affecting the personal information of at least 500 Washingtonians. At the time, Washington law did not provide any deadline for notifying affected Washingtonians, and did not require notification of the Attorney General’s Office at all. The 2015 legislation created a 45-day deadline, which Ferguson’s 2019 legislation reduced to 30 days.

Attorney General Ferguson has been taking action to protect Washingtonians when companies fail to reasonably secure data or provide timely notice regarding breaches. Ferguson led a coalition of 30 state attorneys general investigating a data breach by Premera Blue Cross, the largest health insurance company in the Pacific Northwest. As a result of that investigation, the office announced in July that Premera would pay $10 million for failing to secure sensitive consumer data and for misleading consumers before and after a data breach affecting millions across the country.

Also in July, the office announced that Equifax would pay more than half a billion dollars because of a 2017 data breach affecting nearly 150 million people nationwide.

Ferguson’s office has required several corporations that experienced breaches that impacted Washingtonians’ privacy, including Premera, Equifax, Uber and Target Corporation, to enter into legally enforceable agreements to improve their data security.

More information

For more information about data breaches in Washington, including the individual data breach reports submitted to the Attorney General’s Office, is available at http://www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at http://www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.