New Tougher Data Breach Bill Passed in State Legislature

Although they've been roasted for not always getting things done, or perhaps passing ridiculous legislation, this time most agree the State Legislature did it right.

By a unanimous margin, the State Senate and House passed a tougher data breach bill for companies that do business in Washington state. Patterned after a previous bill a few years ago, this one adds more reporting requirements and shortens the reporting period window for companies.

According to the Attorney General's office, if a company suffers a data or information breach, they now have only 30 days to inform consumers, lowered from the previous 45 days.  New types of citizen data has also been added.

Assuming Gov. Inslee signs the bill, which he is expected to do, any company that has customers in Washington state or does business here will be expected to inform consumers if any of the following information is at risk due to a breach:

• Full birth dates
• Health insurance ID numbers
• Medical history
• Student ID numbers
• Military ID numbers
• Passport ID numbers
• Usernames and passwords
• Biometric data, such as DNA profiles or fingerprints
• Electronic signatures

This new bill will be one of the toughest in the U.S.  The previous bill was passed after a number of large companies admitted they'd been hacked over the last few years, but sometimes waited as long as a year before publicly releasing that information.