Washington joins Massachusetts as the second state this year to amend its data breach notification law. The amendments will not take effect, however, until March 1, 2020. As amended, the definition of personal information has been expanded to include name and date of birth, making Washington only the second state (North Dakota being the other) with this element in its law. Also included are name and student and military ID number, passport number; name and health insurance numbers or medical information; and name and biometric information. Also included in the definition of personal information are now login credentials.

In addition to expanding the definition of personal information, the law will also require notification to impacted individuals and the attorney general (if move than 500 residents have been impacted) by 30 days, rather than the current 45. When providing notice, companies will also need to explain the “time frame of exposure,” in addition to existing content requirements (like the types of information impacted).

Putting it Into Practice: Companies will have time before the Washington amendment goes into effect, but should keep in mind that beginning next year the scope of personal information has been broadened in Washington, and that the time frame for notification will be shortened to 30 days.