Wednesday, May 04, 2005

Washington Enacts Security Breach Notification Law

Governor Christine Gregoire has signed Senate Bill 6043, making Washington yet another state since California to enact a security breach notification law.

At this site we stated that this trend would very difficult to resist in the wake of numerous breaches involving consumers' personal information, particularly ChoicePoint, which informed California residents of the breach first.

Washington's new law is based on California's law.

The new law requires that:

"Any person or business that conducts business in this state and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."

The law states that " "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure."

"Personal information" refers to:

An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

-- Social security number
-- Driver's license number
–– Washington state identification card number
-- Account number or credit or debit card number, when in combination with a security code, access code or password that would permit access to an individual's financial account.

The law also states that:

"A person or business under this section shall not be required to disclose a technical breach of the security system that does not seem reasonably likely to subject customers to a risk of criminal activity."
The consumer group the Washington Public Interest Research Group decided not to support the bill because technical breaches are not covered.

The Washington Bankers Association, said it the provision was necessary to keep consumers from being inundated with notices every time a hacker makes it through a single security layer before being stopped by additional security measures.

** Other States **

On March 31, the Arkansas Governor signed Arkansas Senate Bill 1167 which will require, like California's law, that consumers be notified of unauthorized disclosures of their personal information. The new law will also require regular
reasonable information security measures.

** Update **

Georgia has become the latest state, along with California, Arkansas, and Washington state, to enact a security breach notification law. On Thursday, May 5, 2005, Governor Sonny Perdue signed Senate Bill 230 into law. The law only applies to informatio brokers, like ChoicePoint.

New York's Security Breach notification bill, Assembly Bill 4254, passed the Assembly on May 4.


Anonymous Anonymous said...

Excellent post. I used to be checking constantly this blog and I am impressed!
Very helpful info particularly the last part :) I maintain such info a
lot. I was seeking this certain info for a very
lengthy time. Thanks and best of luck.

My blog; calculate waist to height ratio

11:30 PM  

Post a Comment

<< Home