Washington

RCW 42.56.590 applies to state agencies that own or license computerized data that includes personal information. RCW 19.255.010 applies to any person or business that conducts business in the State of Washington and owns or licenses computerized data that includes personal information. Under both, if there is a breach of the security of a system, there is an obligation to notify the individuals whose personal information was involved.

However, a person or business under this law is not be required to disclose a technical breach of the security system that does not seem reasonably likely to subject customers to a risk of criminal activity.

The laws cover ‘Personal Information’ which is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

1. Social Security number;
2. Driver's license number or Washington identification card number; or
3. Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.