The Washington attorney general’s lawsuit against Uber highlights an organization’s disclosure obligations in Washington State in the event of a data breach.
The Nov. 28 suit, filed in King County Superior Court, is thought to be the first time Washington’s data disclosure statute has been pressed in court. It alleges that Uber Technologies, Inc., violated RCW 19.255 by keeping the fact of its data breach by a hacker secret for about a year. The suit alleges the breach affected more than 10,000 Washington residents.
RCW 19.255.010, enacted in 2015, applies to any person or business that conducts business in Washington that owns or licenses data that includes “personal information.” The statute defines “personal information” as a person’s first and last name, in conjunction with his or her social security number, driver’s license number, or account or credit card number, and security code or password that would permit access to the person’s account.
It requires the notification of affected persons and the attorney general within 45 days of the discovery that personal information “was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured.”
The statute defines “secured” in this context as being “encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.”
Required notifications must be made in writing, and include: (a) the name and contact information of the person or business making the report; (b) a list of the types of personal information that were or are reasonably believed to have been disclosed; and (c) the addresses and toll-free telephone numbers of the major credit reporting agencies.
Violators of this RCW 19.255 are subject to suit by both the affected persons and the attorney general.
The takeaways from ths lawsuit are obvious but important: (1) if your organization stores personal information, make sure it doesn’t get out; (2) encrypt all stored information in accordance with NIST standards; and (3) immediately fess up to any data breach in the form the statute requires so you don’t get into more trouble than you’re already in.