On April 13, the Washington State Senate unanimously passed an amendment to the state's data breach notification law. The amendment, which was requested by Washington Attorney General Bob Ferguson, and which we discussed in this previous post, passed the state house of representatives in March and is now awaiting the governor's signature. The law will require notification to affected consumers and to the attorney general, if more than 500 Washington residents are affected, within 45 days of discovery of the breach. The law further clarifies the exemption for encrypted data, and requires notification of encrypted data if the encryption key, or other means of deciphering the "secured" data, is also acquired during the breach. As state legislative sessions across the country begin to wind down, we will likely have much more to report on amended breach notification laws. Many of the amendments are being driven by state attorneys general, as we noted in a recent interview with Oregon Attorney General Ellen Rosenblum.
This article is presented for informational purposes only and is not intended to constitute legal advice.