Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Within 45 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Written Program for Protection & Security
  • Third Party: Specific Obligations
  • Third Parties: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification
Laws Actions for damages can be brought

Regulation Levels
  • Breach Reporting
  • Consumer Notification
  • Third Party Management
  • Privacy Programs
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Specific defined information that must be included in the consumer notification.
  • Breach reporting must be made without unreasonable delay, but within 45 days, to the state attorney general, if notification is required to more than 500 residents.
  • Consumers may institute civil action to recover damages. The business may be enjoined. The attorney general may take additional action.
  • For violations of the notice of breach laws, the attorney general may bring an action in the name of the state, or on behalf of persons residing in the state.
  • For failing to take reasonable precautions against breach, the processor, business, or vendor is liable to a financial institution for reimbursement of costs related to the reissuance of credit cards and debit cards and possible future damages.
  • Individuals injured by the failure of an entity to comply with data disposal laws or notice of breach laws may bring a civil action to recover damages.
  • Separate laws govern the protection of student and health data.
  • If vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Wash. Rev. Code §§ 19.255.010-19.255.020  Personal Information – Notice of Security Breaches (2005)
  • Wash. Rev. Code §§ 19.215.005-19.215.030  Disposal of Personal Information (2002)
  • Wash. Rev. Code § 63.14.123 Restrictions on electronically printed credit and debit card receipts (2009)
  • Wash. Rev. Code § 19.200.010 Automated Financial Transactions / Restrictions on credit and debit card receipts (2009)
  • Wash. Rev. Code § 28B.10.042  Personal identifiers—Use of social security numbers prohibited (2001)
BAck to map