If the breach affects an email account, the notification must be sent to the individual through a means other than the affected email address. Specific information must be included in the Attorney General breach notification, including a summary of steps taken to contain the breach and a sample copy of the consumer notification. If a breach affects more than 500 residents, breach notification must be made within 30 days to the State Attorney General. Specific information must be included in the consumer notification.

Organizations must notify affected Washington residents within 30 days after discovery of a breach of security involving their personal information. For breaches involving online account personal information (username or email and password/security question), consumer notification may be provided in electronic form informing consumers of the incident and directing them to change their password/security question/answer that may have been compromised. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

For violations of the notice of breach requirements, consumers may bring a civil action to recover damages, and the Attorney General may bring an action in the name of the state or on behalf of affected state residents. Individuals injured by the failure of an entity to comply with data disposal requirements may bring a civil action to recover damages. The Attorney General may also bring an action for damages, injunctive relief, or both. Organizations may be fined or penalized for Vendor violations.

Entities handling personal health information and student data must comply with additional protection and disclosure requirements. Sector-specific laws (health, education) provide for an individual’s right to access their personal information. Organizations must contract with vendors to whom they disclose personal information containing biometric identifiers. The contracted Vendors will not further disclose and will not enroll the biometric identifiers in a database for a commercial purpose inconsistent with the notice and consent requirements for Organizations relating to biometric identifiers.

Organizations and Vendors who are businesses operating in Washington must have measures in place for the secure destruction of records containing personal information, so the records are unreadable or undecipherable. Organizations must contract with vendors to whom they disclose personal information containing biometric identifiers. Washington has regulations specific to the collection, use, disclosure and protection of individual’s biometric identifiers.

Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.