Washington State Passes New Data Breach Legislation
On April 25th 2019, the state of Washington passed new legislation that substantially tightens the notification requirements for breaches within it. Since similar legislation is likely to follow in other states, we will take this briefing to look at the major changes and how they may impact information security compliance.
What are the changes?
The first change is a requirement to report data breaches within 30 days. Currently most companies are either not bound by strict reporting guidelines or bound by HIPPA guidelines which require notification within 60 days. The new legislation thus represents a drastic shrinking of the reporting window.
The second important change is a re-definition of precisely what kinds of data must be leaked to qualify as a breach. Under the new law, a person’s name in combination with their social security number, ID card number, driver's license number, payment card number with at least one additional security feature (e.g. CCV), birth date, private key, student ID, military ID, passport number, health insurance number, any medical information or biometric data will require reporting. This unifies reporting guidelines across the state. How much of a change it will be for individual organizations depends on what compliance frameworks they were already subject to.
Why was this legislation introduced?
While there is no single event that led to the legislation, residents of Washington state have been affected by several nation-wide and international breaches over the past years. States are under both popular and pragmatic pressure to tighten their laws. For one, tighter laws will - hopefully - increase overall cyber security and thus lead to a decrease of successful breaches. For another, organizations with limited resources are likely to prioritize states where they would face the harshest penalties. This creates an incentive for states to act quickly and decisively.
We expect several other US states to follow the example of Washington and pass state-level breach notification legislation. Similar laws have been passed in various countries over the past 5 years. The incentive to act quickly laid out above combined with the objective need for better information security and the popularity of such motions means that similar laws are likely to enjoy bipartisan support and thus pass. Organizations are advised to take this into account when designing information security policy since merely meeting the base-line requirements may not be enough when taking a longer-term view. The cost of inaction or base-level compliance in the long run is likely to outweigh the cost of breaches and policy do-overs in the long run.