[BreachExchange] Washington state legislature passes data breach law, but punts on privacy law

[Destry Winant]

https://www.scmagazine.com/home/government/washington-state-legislature-passes-data-breach-law-but-punts-on-privacy-law/

The Washington state legislature went one-for-two this month in its
attempt to pass major data breach and privacy regulations.

Yesterday, lawmakers unanimously passed HB 1071, which firms up and
expands requirements for public breach notifications, but the state
apparently has failed to approve a sweeping new state privacy law, SB
5367, after the House declined to pass it by an April 17 deadline.

Sponsored by Rep. Shelley Kloba (D-Kirkland), HB 1071 shrinks the
window businesses and government organizations have to notify
consumers and the state’s attorney general of a breach from 45 days to
30 days.

Under older law, businesses and government organizations only had to
notify consumers of a breach if hackers acquired consumers’ names in
combination with one of four forms of personally identifiable
information: Social Security numbers, driver’s license numbers, state
ID numbers or financial account information. But HB 1071 has greatly
expanded this list of PII to include full birth dates, health
insurance ID numbers, medical histories, student ID numbers, military
ID numbers, passport ID numbers, username-password combinations, or
biometric data.

“My office has seen the number of Washingtonians impacted by data
breaches increase year after year,” Ferguson said in a press release.
“Data breaches are a serious threat to our privacy, and this law will
arm consumers with information to protect their sensitive data.”

The Washington Senate passed the legislation this week, after the
House passed it back on March 1. Sen. Joe Nguyen (D-White Center)
sponsored the companion bill in the Senate.

On the other hand, SB 5376, aka the Washington Privacy Act, fizzled in
the state’s House after the Senate passed the legislation with a 46-1
vote.

The bill was intended to be among the strongest privacy laws in the
U.S., containing elements that were central to Europe’s General Data
Protection Regulation (GDPR). It would have granted consumers the
rights to know who is using their data and why, the right to delete
certain data, and the right to restrict the sale of data. The
legislation also laid out steps companies must follow to boost the
security of collected consumer information.

Reportedly, however, the bill ran into trouble in the House following
calls from privacy advocates to strengthen the bill even further.
Critics of the legislation reportedly expressed concern that the bill
still permitted the public use of facial recognition technology,
despite provisions to regulate its use. They also decried lawmakers’
late attempt to revise the bill’s language for the House — a
negotiation that included six Democratic lawmakers plus tech giants
like Microsoft and Amazon, but only one Republican and no
representatives from consumer advocate groups.

In an April 17 tweet, bill sponsor Sen. Reuven Carlyle (D-Seattle)
said the Senate would push for action next year. “We built alignment
that well-crafted, strong #dataprivacy is imperative to consumers and
society,” he wrote. “Unfortunately, House failed to pass privacy
legislation this year. We’re committed to 2020.”