April Brings Amendments to Washington and North Dakota Breach Notification Requirements

May.19.2015

April saw amendments to Washington State's and North Dakota's breach notification statutes.

In a prior Orrick Alert, we discussed some of the implications from the proposed data breach notification amendments in Washington State, which were largely included in the version of the bill that passed last month. In this alert, we summarize all of the significant changes to Washington State's new law and North Dakota's new law.

Washington

Washington State's amendments, which by far are the most sweeping, implement a number of new important changes. Of most significant import is the change to the encryption exemption discussed in a prior Orrick alert published when the amendments were initially proposed. Under the law, companies will be required to provide notice to Washington State residents whose personal information is compromised if the information is not encrypted "in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard"^[1] or otherwise modified so that it is unreadable, unusable, or undecipherable. The law also requires notice when encrypted personal information is compromised if the encryption key or cipher is also compromised.

Other notable changes include the following:

Notice is not required if the breach is "not reasonably likely to subject consumers to a risk of harm"
Notice must be written in "plain language," and include the name and contact information for the reporting entity (the entity experiencing the breach), types of personal information compromised, and the toll-free numbers and addresses for the major credit reporting agencies
Requires notice if paper records are compromised (previously, the statute only applied to computerized records)
Requires consumer notification in the most expedient time possible without unreasonable delay, not to exceed 45 days after discovery of the breach
Requires notification of the Washington State Attorney General if more than 500 Washington residents were affected by the breach by the time that Washington State residents are notified, along with a copy of the notice provided to consumers and an estimate of the total number of Washington State residents affected
Exempts HIPAA covered entities from the statute's notification requirements if they comply with Section 13402 of the HITECH Act
Exempts certain financial institutions under authority of federal regulators per the Graham-Leach-Bliley Act from the statute's notification requirements if they comply with notification requirements in applicable federal guidelines
Grants the Attorney General authority to bring enforcement actions for violations of the statute under the Washington Consumer Protection Act, RCW 19.86 (but excludes private consumer protection act claims)

North Dakota

North Dakota amendments (passed the same day) make fewer, but still important, changes. Among other things, the North Dakota law:

Requires organizations to notify the Attorney General if personal data for more than 250 North Dakota residents is compromised
Reduces the scope of personal information to include employer-assigned identification numbers only if the corresponding required security/access code or password is also compromised
Requires notice to all affected North Dakota residents, even if the organization is not conducting business in North Dakota

Washington State's law becomes effective on July 24, 2015. North Dakota's law becomes effective on August 1, 2015.

^[1] Although not explicit, presumably the law refers to NIST Federal Information Processing Standards Publication 197 (Nov. 26, 2001), available at http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.

Orrick's Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.