EPISODE 38
The new data breach notification law in Washington

EP 38: The new data breach notification law in Washington

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

October 15, 2019

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, discuss the revised Washington State data breach notification law and why it matters to all our listeners.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities and Jake Bernstein, cybersecurity council at the law firm of Newman Du Wors. Visit them at cyberriskopportunities.com and newmanlaw.com.

Kip Boyle: So, Jake, what are we going to talk about today?

Jake Bernstein: Today, Kip, we're going to talk about the revisions via amendment to the Washington state data breach notification law. Governor Jay Insley signed House Bill 1071 into law on May 7th, 2019, and will modify RCW 19.255.010 and 200.

Kip Boyle: Sounds like an IP address. Keep going.

Jake Bernstein: It does, doesn't it? So while the Washington legislature did not get its big GDPR project completed, the changes to the data breach notification statute are still quite significant.

Kip Boyle: Okay, so you and I live in the great state of Washington. Love it here. Don't ever want to leave. But I know that a large chunk of our audience does not live in Washington state and is probably at this point saying, "I don't even know why I started this episode." So let me ask you on their behalf, should they keep listening to this?

Jake Bernstein: Yes, they should. First, businesses that operate nationally often must keep on top of all data breach statutes, including the 49 other states where they are not headquartered.

Kip Boyle: We'll have to dig into that later.

Jake Bernstein: We will. Yes. But second, the Washington amendments are instructive for everyone because they show the evolution of privacy and security legislation, even when states fail to pass sweeping regulations, like the presently on hold and GDPR inspired Washington Privacy Act.

Kip Boyle: Okay. So I think what you're saying is that Washington state lawmakers got really ambitious. They loved GDPR and they said, "We want one," but they didn't quite make it. So in lieu of that, we have these amendments. Is that pretty much it?

Jake Bernstein: Pretty much, yes. crosstalk-

Kip Boyle: Okay. But there's a lot to unpack.

Jake Bernstein: There's a lot to unpack, for sure, definitely.

Kip Boyle: Okay. All right. All right. Okay. So is that why this law was amended and what was wrong with the old law or what did the old law didn't do? Please explain this.

Jake Bernstein: Okay. So one, it's difficult to say exactly why they chose to amend the law this year. It's never clear, but my suspicion is that it had something to do with the GDPR law not going through. So you could consider it a consolation prize, but I'm not actually sure if the sponsorships were the same. So really quick, if you don't know how legislatures work, basically every bill has to have a sponsor and sometimes those sponsors will sponsor the same bill multiple times, year, after year, after year, if they don't pass, or sometimes they'll sponsor a whole bunch of bills that are related, and I suspect that's what happened here.

Kip Boyle: Okay. So I'm a man of a certain age. I remember schoolhouse rock on Saturday morning. I'm just a bill. Yes, I'm only a bill.

Jake Bernstein: I know.

Kip Boyle: And that was like-

Jake Bernstein: It's really too bad that crosstalk-

Kip Boyle: I learned so much from that.

Jake Bernstein: Yeah. It's still true.

Kip Boyle: Okay. So if nobody knows what I'm talking about, go to YouTube after this episode, look it up. It's Schoolhouse Rock. How bill becomes a law. It's this great little cartoon Diddy. Love it. And that'll bring you up to speed with what Jake just said. Okay. Let's keep going.

Jake Bernstein: All right. So the real question here is what did they do to the data bridge notification law? And I'm going to give you the high level bullet points first, and then we'll drill down a bit and discuss the implications.

Kip Boyle: Great.

Jake Bernstein: So first, they dramatically expanded the definition of personal information. They modified the method of notification and they introduced additional content requirements for the notifications that you're sending. And then just in case that's not enough, they also reduced the time permitted for notifications and created a new requirement for updating notifications to the attorney general.

Kip Boyle: Okay. So that's actually a pretty big amendment. That sounds like a lot of substantial changes. And it also seems like an overall toughening or strengthening. Seems like it is going in the direction of what you had said before, which is their dream was to have a Washington state GDPR. Okay. So let's start looking at these five different points. Can we start with something simple, just kind of ease into it?

Jake Bernstein: Yes. Here's the simplest one. Instead of 45 days to issue notifications to affected individuals, you now get 30.

Kip Boyle: As a information security professional, clinically speaking, I like this. However, as a chief information security officer, this annoys me because 30 days is barely enough time to do anything in the business world. 45 days seemed like not enough, and now there's only 30 and I just wonder if the legislature really understands just how hard that is.

Jake Bernstein: Well, so the new update allows you to give notifications in stages. And I think the idea is to get the information to the affected individuals as soon as possible so they can protect themselves. Given that, I'm not sure that I disagree with this change. I mean, it's only 15 days, but a lot can happen in just over two weeks.

Kip Boyle: Okay. Well, I could also call it a 33% reduction, right? And now it sounds really big. And as a former assistant attorney general, I got to think you like this too. Right?

Jake Bernstein: So the attorney general has to be notified when there are 500 or more Washington residents affected by a data breach, and everything we're going to talk about, applies to that. So if you have to... Sorry. If you have to notify the attorney general, then you only get 30 days as well.

Kip Boyle: Okay. Okay. Okay. So if I'm a CISO and I'm trying to figure out how to comply with this law, the first thing I'm going to figure out is how can I maximize this 30-day window? And so I'm probably going to figure out how to take the time that I need before the 30 days notification timer starts. That's probably what I would do. Is there anything in this amendment that you know of that would prevent me from taking that tact?

Jake Bernstein: Well, let's move on to the expanded content and then we can figure that out.

Kip Boyle: Okay. Yeah, that sounds good. All right. So we know that the notification has just decreased. Okay. So is there another easy one?

Jake Bernstein: Not really.

Kip Boyle: Okay. Which is the next less hard one? Is that a good way to say it?

Jake Bernstein: It is. And I'm actually going to give you a twofer here. So the new law makes changes to both how you notify affected individuals and what content you have to include in the notification.

Kip Boyle: Okay. That might be good because sometimes these laws are super vague and you have to struggle to figure out what to do. So walk us through.

Jake Bernstein: You say that you say that now, but just wait.

Kip Boyle: Wonderful. Be careful what you wish for.

Jake Bernstein: Yes. The method change is fairly simple, convenient, and I think most businesses will really like it. So here it is. If the breach involved a username or password, the breached entity may provide notice via email.

Kip Boyle: And not something through the postal service? Like just email?

Jake Bernstein: Just email. And this is a big deal because as we both know, postage for breach notifications is one of the largest expenses just administratively.

Kip Boyle: Yeah. Well, and everybody's attention these days is going from hand-delivered letters to email. I mean, everybody that I do business with wants to send me emails. Nobody wants to send me a piece of paper anymore.

Jake Bernstein: Now there is a caveat. If the breach involves the login credentials of an account furnished by the entity, then you cannot use the email, and I think we know why.

Kip Boyle: Okay. So the postmaster general, first of all, is breathing a sigh of relief. I could guess why. Is it because maybe I can't receive an email notification because my account was hijacked?

Jake Bernstein: Correct.

Kip Boyle: Okay.

Jake Bernstein: Or-

Kip Boyle: I got a point.

Jake Bernstein: ... even worse. They, and I have seen this happen, bad guys will set up filters on your email, so you only get the email that they want you to get.

Kip Boyle: Right. And so if there's filtering out and breach notifications and whatnot, then you're going to remain clueless. You're going to live in your bubble of perfect security and be fooled. Okay. Yeah, that makes sense.

Jake Bernstein: Okay. So now we get the fun one, the content. So the notification itself must, and this is a quote, inform the person whose personal information has been breached to promptly change his or her password and security question or answer as applicable, or to take other appropriate steps to protect the online account. Now, this is great. It's not quite finished. That is with respect to the breached entity, but you also have to tell the person to take care of all other online accounts for which the person used the same username or email address and password or security question and answer.

Kip Boyle: Oh, that's actually really good. So because a lot of people do that.

Jake Bernstein: It is. And what does that sound like to you?

Kip Boyle: It sounds like anybody who's doing that has really horrible cyber hygiene, but what else does it sound like?

Jake Bernstein: Well, to me, it sounds like the legislature is getting a clue, which is crosstalk-

Kip Boyle: Yeah, you're right. You're right. Yeah. I mean, it was so practical when you said it to me that I was like, "Finally." But yeah, the implication is that legislatures are finally starting to realize how things really work. Yeah. That's a great revelation.

Jake Bernstein: Yeah. I'm hoping that is true. So here's the rest of the new content requirement, and this is a little scary. So you have to include details of the breach, including a timeframe of exposure of the relevant personal information, if you know it, and, and this is my favorite part, the date of the breach and the date of discovery of the breach. Now if you think about this, if I have to tell you the date of the breach, the date of discovery of the breach, and then you know when you got your notification, there's kind of an automatic self enforcing thing going on here.

Kip Boyle: Yeah. This is more insight on behalf of the legislature. So in the case of like Equifax, if they had to notify under this rule, people would've seen that the exploit had happened like six months prior to them figuring out that it happened.

Jake Bernstein: Exactly. And now that information still came out, but it was dependent on journalists and Twitter and the blog crosstalk-

Kip Boyle: Geo reports.

Jake Bernstein: Yeah, exactly. So what Washington has done, which I think is pretty interesting, is inaudible a shame system here where within the notification, companies have to cop to their timing and what happened.

Kip Boyle: Well, that's good. Yeah. That's transparency.

Jake Bernstein: It is transparency. And there's one more bullet. If the notice must be provided to the Washington attorney general, and again, if there's 500 or more Washington residents, then the effected entity must include that same content, so the timeframe, the details, the dates, and a list of the types of information affected by the breach and a summary of steps taken to contain the breach, plus a sample copy of the notice, two of the affected individuals. So the AG wants a full report and you can't really hide at all.

Kip Boyle: Huh. Well, okay. So I think this is good for people who are affected by data breaches. So I'm happy about that, but I can't help but to feel a little pain in my neck as a CISO because my workload's gone up. Oh, well.

Jake Bernstein: I think that will be the case. Anyone who has to deal with this new law, frankly, has a lot more work to do than they do under most typical data breach notification laws. In fact, what I have seen is that when a state can't quite get that sweeping regulation passed, they're going ahead and modifying their data breach notification laws. And most of those are pretty old and the scope was limited, as we'll see. And I think another reason that this is worthwhile for everyone, not just our Washington state audience, is that this is probably what you're going to see from data breach notification statutes moving forward, and that even in states that have zero appetite for a sweeping GDPR or California Consumer Privacy Act type of law, that you will see these types of changes to data breach notification.

Kip Boyle: Okay. Would you say that the Washington state amended data breach notification law is one of the toughest in the country now?

Jake Bernstein: I think it probably is. It's definitely among the toughest in terms of states that don't yet have comprehensive laws.

Kip Boyle: Right. Right, right. Now. Okay. I mean, so as a CISO, when I'm designing a program and I know that there are 50 different data breach notification laws, it's very common to take the approach of, well, let me figure out which one's the most restrictive, the one that requires the most, and then I'll design my program around that one, because then I'm sure that the other 49 states will not be unhappy with me because I'll have met or exceeded all their requirements at same time. So that's a pretty typical approach. Wouldn't you say so?

Jake Bernstein: It can be. I think a lot of companies pay most attention to whatever their home state is, but if they do business nationally, then they really do have to comply with all of them.

Kip Boyle: Right. Right. Yeah. Okay, good. So if you do business nationally, then it's good to know which state has the most demanding requirements. And right now, that could very well be Washington state, short of a California style GDPR, right?

Jake Bernstein: Yeah. Vermont, Massachusetts, a few other states have some pretty robust laws, but this one is getting there, and we're not finished yet in terms of these changes.

Kip Boyle: Oh, right. Because you said there were five.

Jake Bernstein: There were five.

Kip Boyle: I think we've done three now.

Jake Bernstein: We have, give or take.

Kip Boyle: Okay. Okay, okay. So I wonder if I should just cheat and look at your notes. Let's see here. So I'm going to do that. Let me look at your notes here. Okay. Okay, so here's another change. If you don't know something about the breach at the time you must send notifications, you have to go back and update the attorney general once you learn new information. Oh, interesting. So now the attorney general is an active member of the audience and they now get updates. Okay. And then finally, the definition of personal information, da, da, da, da, da. Okay. It's not as easy as I thought it was. Here, take your notes back. You do it.

Jake Bernstein: Yeah. That one is huge. Before I move on to that, I want to highlight the attorney general implications here. So this statute requires you to tell the attorney general everything and process is becoming a lot more important, which I like, and you like, because you always preach the importance of policy, procedure and following through on what you're supposed to do.

Kip Boyle: Yeah, definitely.

Jake Bernstein: And with the new content requirements and this update requirement, the AG is going to stay informed. And what's really interesting is if you go to the Washington state, the attorney general's office and the data breach notification page, you will find a list of all the data breach notifications. And let's see. Take a guess. How many of you think were sent to the Washington AG in July?

Kip Boyle: Just in July of this month?

Jake Bernstein: Last month. Yes.

Kip Boyle: 500.

Jake Bernstein: I'm sorry. Specific. Not like numbers of notifications, but individual breaches.

Kip Boyle: Oh. I like 500, so I'm going to say 500. I don't know.

Jake Bernstein: No. Okay. It's 1-

Kip Boyle: I haven't looked.

Jake Bernstein: ... 2, 3, 4, 5, 6, 7, 8.

Kip Boyle: Oh, just eight.

Jake Bernstein: Well, that's eight breaches. I have no idea how many people were affected. I'm only talking about the number of reported individual breaches crosstalk-

Kip Boyle: Right. And each incident could have affected millions of records, potentially.

Jake Bernstein: Well, we know for a fact that each one affected at least 500 Washington residents, because otherwise, they wouldn't have told the attorney general.

Kip Boyle: That's why 500 was in my mind.

Jake Bernstein: That is why 500. So there's eight times 500. So that's at least 4,000 Washington residents. It's probably a lot more than that though.

Kip Boyle: Yeah. Okay. Probably is. Yeah. Okay. Okay, so the definition of personal information though.

Jake Bernstein: Yeah. Let's dig into this thing. So I think this is where things get most interesting, even though everything else we've discussed is really important. So to give some context, here's the old definition.

Kip Boyle: Okay.

Jake Bernstein: And the specific definition we're talking about is personal information with a capital P and a capital I.

Kip Boyle: And this comes from the original law, which I think was passed in 2002 or 2003.

Jake Bernstein: Yeah. I think that's right. It was crosstalk-

Kip Boyle: It's reached it's adolescence.

Jake Bernstein: Yeah. Yeah. It was amended again in 2015, but I'm pretty sure that it existed before that, but I have to check. Anyway-

Kip Boyle: Okay. What is it.

Jake Bernstein: ... hear that definition. An individual's name in combination with a social security number, state identification card number or financial account or creditor debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Kip Boyle: Okay.

Jake Bernstein: That's it.

Kip Boyle: All right. That's what it used to be.

Jake Bernstein: That's what it used to be. Fairly specific, isn't it?

Kip Boyle: Yeah. Yeah. Very specific. Yeah. That's pretty easy to understand. It may not be easy to implement because you may not realize all the data fields you have in your position, but easy to understand.

Jake Bernstein: Well, I also think it's pretty limited. I mean, you have to have someone to name with something like a social security number, the state ID card, or a username and password, plus a financial account number. Not that many businesses hold that type of information anymore.

Kip Boyle: No, mostly you're just talking about a bank or something like that.

Jake Bernstein: Yeah. So here's the new one. So it's the old definition plus the following. And again, when compromised in combination with an individual's name, here we go. Full date of birth, any private key that is unique to an individual, and that is used to authenticate or sign an electronic record. I think this can include an AWS API key, but I'm not sure.

Kip Boyle: Yeah. Or inaudible key or any kind of a private encryption key. Oh my gosh. These legislatures have become... I guess we have digital natives in there. I don't know what else to think.

Jake Bernstein: I think we do. So continuing, student, military or passport ID number, a health insurance policy number or health insurance identification number, any information about the person's medical history or mental or physical condition or about a healthcare professional's medical diagnosis or treatment of the person.

Kip Boyle: Wow.

Jake Bernstein: We're not quite finished. The last crosstalk-

Kip Boyle: No?

Jake Bernstein: ... component is biometric data generated by automatic measurements of unique biological characteristics, such as fingerprint, voice print, retina, or Iris scans, et cetera.

Kip Boyle: Wow. Is there any more?

Jake Bernstein: It does. It gets better. So if the data is not encrypted or redacted, then the requirement that the data be leaked with someone's name is removed. So let's think about this.

Kip Boyle: Yeah, please. My head hurts.

Jake Bernstein: I know. So generally, in order to fall under this data breach notification statute, you usually have to leak someone's name plus some of this other data. Now , if your data was not redacted or encrypted, then even if a name isn't linked to these records, this still applies.

Kip Boyle: Oh, is that because the assumption is that with that information, you can readily discover the name of the individual?

Jake Bernstein: I think so. Yes. Now, here's one of my favorite parts. If the data "would enable a person to commit identity theft" then the name requirement is also lifted. I have no idea what this really means, but it's definitely a big expansion.

Kip Boyle: Wow. Okay. Well, so all right. Anybody doing business in Washington, or as we said, if you're doing business nationwide, you certainly should become more acquainted with this and we're certainly going to be watching.

Jake Bernstein: I wasn't quite finished.

Kip Boyle: Okay.

Jake Bernstein: There's one more piece. So a username or email account plus a password or security questions is enough on its own to trigger the law. The full name is not necessary to fall under the expanded definition.

Kip Boyle: Oh boy. All right, so these five bullets, these amendments, this is actually really substantial. This is a really substantial revision. Perhaps even massive might be the right word. Am I getting this?

Jake Bernstein: Yes, you are.

Kip Boyle: Okay.

Jake Bernstein: It's huge.

Kip Boyle: Okay. All right. Thanks. Thanks digital natives. All right. All right. Well, it's good. I mean, I'm I'm not against this, but I'm going to have to work harder. That's all.

Jake Bernstein: Well, and if you think about the implications of expanded data breach notification laws, there is huge liability for hiding something and what you can hide is getting smaller and smaller, but also the very act of sending all this information out really opens up the floodgates of litigation as we like to say. So I would expect that these notification statutes probably will have a larger effect on security than you might realize. I think in the past, they were this nuisance law. Yes, they cost a bunch of money for postage, but they didn't necessarily have a real substantive effect on security policy. I think that's going to change.

Kip Boyle: Yeah. And the other thing just to tag onto that, I've been telling people for years now and I think this is continuing the trend, that information security, cybersecurity used to dominantly be about the technology and knowing which check boxes to check in order to have the right amount of security in your systems. And I think what this is... One of my big takeaways from the episode is that actually the law is starting to overshadow, in some ways, the technological dimension of information security and cybersecurity. I mean, it's really nosing its way into information security affairs. And so it seems like, that's just going to go into continue. And certainly with the... What I'm seeing is that are people actually expecting that the whole privacy domain and the information security domain are going to converge. I don't know about that entirely, but certainly, the law and the legal dimension is growing. And I think if you are a cyber risk manager and information security leader, you really have to reconcile yourself to this and get up to speed.

Jake Bernstein: I agree. You really have no choice.

Kip Boyle: So I guess inaudible of the future will be, in fact, bar admitted attorneys-

Jake Bernstein: crosstalk true.

Kip Boyle: And not systems people.

Jake Bernstein: Yep.

Kip Boyle: Well, I don't know about that exactly. I don't know when that might happen, but... Okay, this is a great update and I hope this helped our audience. So you know what? I think that wraps up this episode of the Cyber Risk Management Podcast. Today, we talked about the rather substantial changes to the Washington state data breach law. Oh, one important thing that we didn't actually touch on. Let's do this before we go. Jake, when does all this take effect?

Jake Bernstein: Oh my gosh. We did almost forget. So all these changes take effect on March 1st, 2020. So, only about-

Kip Boyle: Okay. So that's not too long from now.

Jake Bernstein: It is only about nine months.

Kip Boyle: Yeah. As we record this episode. Okay, everybody get busy and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR, and IT for full effectiveness. Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk business strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.