Data Breach Requirements

Last updated: September 25, 2024

Overview

The UW Privacy Office is responsible for overseeing, managing, and directing investigations of potential or confirmed data breaches involving personal data, other than or in addition to protected health information or areas under the authority of the Institution Review Board. For information about reporting an incident or suspected or confirmed data breach, please visit our Report Incident or Data Breach page.

There are multiple laws and regulations related to privacy, personal data, or data breach notification in the United States and internationally. Each law is likely to provide its own definition of what is and is not personal data or another analogous defined term (e.g., “individually identifiable information”), as well as what is and is not a data breach.

Requirements regarding who, when, and how to notify individuals about a data breach also are likely to vary by state, country, and/or region (e.g., EU GDPR), contract (including any data processing or data sharing agreement), and/or other applicable circumstances (e.g., data type or data processing activity).

In addition, the period of time within which notification must take place can vary widely, anywhere from within 72 hours to 30 days (or perhaps even longer) of becoming aware of the data breach, again depending upon the applicable law/regulation, contract, circumstances, etc.

WA State breach notification law

The requirements of Washington State’s breach notification law (RCW 42.56.590) may apply for data breaches involving “personal information”, which the law defines as:

  • First name or first initial and last name in combination with one or more of the following data elements:
    • Social security number (SSN) or last 4 digits of SSN;
    • Driver’s license number or WA identification card number;
    • Account number, credit or debit card number, or any required security code, access code, or password that would permit access to an individual’s financial account, or any other numbers or information that can be used to access a person’s financial account;
    • Full date of birth;
    • Private key that is unique to an individual and that is used to authenticate or sign an electronic record;
    • Student, military, or passport identification number;
    • Health insurance policy number or health insurance identification number;
    • Any information about an individual’s medical history, or mental or physical condition, or about a health care professional’s medical diagnosis or treatment of the individual; or
    • Biometric data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual.
  • User name or email address in combination with a password or security questions and answers that would permit access to an online account
  • Any of the data elements listed in the bullet points or combination of those data elements without first name or first initial and last name if those data elements:
    • Are not encrypted, redacted, or otherwise made unusable; and
    • Would enable identity theft.