Last month, I wrote about a bill introduced in the state legislature of Washington that would mimic the California Consumer Privacy Act, but would be even more strict in some cases.
It has been a rollercoaster ride for the bill's sponsor and supporters. The bill originally enjoyed overwhelming support in the Senate, but later, after stalling in a House committee, the bill seemed dead; the state's Chief Privacy Officer thought the bill was doomed.
Just days later, a data security bill was approved by the legislature and presented to the Governor for signature. (It seems likely that the data security bill is being adopted instead of the privacy bill.)
As amended, the data security bill will:
- expand the definition of "consumer information" for purposes of triggering the breach notification requirements;
- address breaches that specifically involve usernames and passwords;
- provide a 30-day notification timeframe; and
- add information to be included in breach notifications.
You can read the data security bill here.