On March 4, 2015, Washington State’s House of Representatives passed HB 1078, which would significantly tighten Washington’s current data breach notification requirements, currently codified at RCW 19.255.010. The bill has been sent to the Senate, where it is scheduled to be heard by the Law and Justice Committee on March 19. Among the proposals are two extremely important changes that are critical for all organizations—not just those based or domiciled in Washington State. First, the bills would narrow the existing law that exempts organizations from having to provide data breach notification to individuals if the compromised data were encrypted. The new requirement would instead require notification if encrypted data is stolen, unless the data is encrypted to standards at or above those set by the National Institute of Standards and Technology (NIST). Second, it explicitly codifies the Attorney General’s power to pursue a violation of the notification statute as an unfair or deceptive act in trade or commerce under the state’s consumer protection laws.1 For the reasons explained below, these changes would establish Washington’s as one of the strictest notification requirements, practically requiring organizations across the country to notify all citizens (whether or not in Washington) in accordance with its directives.
The single most important proposed change is the narrowing of the current encryption exemption to the notification requirement. Under the current law, as in many other jurisdictions, notification is not required if the data compromised during the breach is encrypted. HB 1078 would change that by implementing a first-of-its-kind requirement that notice be given to any Washington State resident whose encrypted personal information is compromised, unless the information is encrypted in a manner that meets or exceeds NIST’s standard, or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person. Thus, organizations can still avoid notification obligations if they “secure” the data by either a) encrypting the data in accordance with, or beyond, NIST standards, or b) rendering the information unreadable, unusable or undecipherable by an unauthorized person through some other methodology, not specified in the bill. Organizations considering (or currently using) alternative methods to secure the data such as hashing, salted hashing, or tokenization would need to analyze whether these other technical measures would fulfill the statutory requirement given the relevant circumstances.
There are two other important limitations on the notification exemption even if the data is encrypted at or above the NIST standard. First, the exemption does not apply “if the information acquired and accessed is not secure during a security breach,” presumably meaning that the theft of unencrypted data would still trigger the notification requirement even if the data were encrypted at other times. Second, and less controversial, the exemption does not apply if the confidential process, encryption key or other means to decipher the secured information is acquired by an unauthorized person.
This proposed change is critical for all organizations, not just those that are domiciled in Washington State, because organizations that suffer a breach are required to notify individuals based on the state of residence of the individual whose data is stolen, regardless of where the organization is located or based. Thus, an organization in Kansas, for example, would have to notify Washington State residents pursuant to Washington State law, not Kansas State law. Combined with the various requirements of 47 different state notification laws, Washington’s bill creates an important practical consideration. Generally, organizations want to avoid notifying individuals in one state (because that state law requires it) but not in other states (because the other states’ laws do not have similar notification requirements). Patchwork notification of that nature can create confusion among individuals and undermine efforts at transparency because average citizens generally do not understand the nuanced differences between the various state notification laws. This is especially true today, where such perceived discrepancies are regularly communicated and shared via traditional and social media, leading to individuals believing they were the subject of disparate treatment. As a result, traditional wisdom suggests notifying all affected individuals under the strictest state notification regime, whether required or not by the regimes of other states. Washington’s bill portends to raise the bar, requiring broader notification to more individuals.
The bill also has a very important secondary effect. Organizations interested in taking advantage of the revised exemption will now be well-counseled to consider implementing NIST-compliant encryption standards, although the bill does not specify what those actually are. Moreover, although the NIST-equivalent standards are also an option, organizations who elect to take that avenue will likely have to go through the additional process of validating equivalence before safely being able to rely on the exemption. To do otherwise, would potentially undermine the ability to rely on the safe harbor altogether. Equivalence validation, however, will not prove easy because the statute offers no guidance on what “equivalence” requires, or how it should be measured.
The second most important change in HB1078 is that it explicitly grants the Attorney General the authority to bring enforcement actions for violations of HB 1078 under the Washington State Consumer Protection Act, RCW 19.86. More specifically, HB 1078 would make a violation of the statute “an unfair or deceptive act in trade or commerce and an unfair method of competition.” This would give Washington State’s Attorney General not only greater enforcement power, but also greater investigatory powers and the ability to obtain treble damages for intentional/willful violations.
With HB 1078, Washington State is poised to set the bar on notifying individuals whose information was encrypted, but compromised, and to establish a national encryption standard. At a minimum, Washington State’s efforts to tie the definition of encryption to the NIST standard is a development that will require companies holding personal information on the state’s residents to assess their current encryption technology and practices.
Now, more than ever, organizations should engage in a regular review of all aspects of a data security program on an ongoing basis. HB 1078 serves as a reminder that part of that review should include an assessment of the encryption technology and methodology currently employed to ensure that these are appropriate in light of the sensitivity of the data being protected; the legal, reputational, operational, and other risks arising in case of a breach exposing that data; and the advances in technology and capabilities of hackers to break weak encryption methods.
1HB 1078 also imposes two additional, more standard, requirements. First, it requires that the notification be made to both consumers and the Attorney General “in the most expedient time possible and without unreasonable delay, no more than 45 calendar days after the breach was discovered.” While open to interpretation, the bill appears to require notice to the Attorney General only if the breach affects more than 500 state residents. The notification can be given later at the request of law enforcement or “due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Second, HB 1078 also adds several new requirements related to the content of the notice that must be provided to affected consumers. The notice must be written in plain language, contain contact information of the reporting person or business, a list of the types of data believed to have been subject to the breach, and contact information for the major credit reporting agencies. If the breach affects over 500 state residents, a sample copy of the breach notification must be provided to the Attorney General along with the number or estimated number of affected residents.
Orrick’s Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.