What happens after your company is the subject of a data security breach?

Introduction
What happens after your company is the subject of a data security breach? Washington's RCW 19.255 imposes specific obligations on employers following a security breach involving personal information. Employers must act swiftly to notify affected individuals and, in certain cases, the Attorney General. This post outlines those core responsibilities and compliance best practices.

1. Who Must Comply and What Triggers Obligations
   • The law applies to any person or business conducting business in Washington state that owns, licenses, or possesses personal information included in computerized data files. A breach occurs when there is unauthorized acquisition that compromises the security, confidentiality, or integrity of that information.
   • "Personal information" includes combinations such as a resident's name in conjunction with SSN, driver's license, account number with access codes, full date of birth, private electronic signature keys, IDs, medical history, and biometric data. It also covers usernames or email addresses with passwords or security question/answer combinations.
2. Notification to Affected Individuals

Timing Requirements

• Employers must notify the affected individuals in the most expedient time possible, without unreasonable delay, and no more than 30 days after discovering the breach. While a quick response is a requirement Employers should consult with legal counsel before...

Read Full Story: https://news.google.com/rss/articles/CBMizAFBVV95cUxQS1NDbnlfY0JXaTdIdzR3cWw0...