Washington Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Washington state has one of the most comprehensive data breach notification laws in the United States. Its 30-day notification deadline is among the shortest nationally, its definition of personal information is among the broadest, and it is one of the few states where individual consumers have a private right of action to sue for notification violations.

The core statute for private entities is RCW 19.255.010. A parallel statute, RCW 42.56.590, governs state and local government agencies. The law was originally enacted in 2005 and was significantly strengthened by HB 1071, signed by Governor Jay Inslee on May 7, 2019, with the new requirements taking effect March 1, 2020.

For a broader look at Washington's privacy framework, see the parent guide to [Washington Data Privacy Laws](/us-laws/data-privacy-laws/washington-data-privacy-laws).

Who Must Comply

Washington's breach notification law applies to any person or business that conducts business in the state and owns or licenses computerized data that includes personal information about Washington residents.

There is no minimum size threshold. Any business, regardless of size, that handles personal information of Washington residents must comply.

Government agencies at the state and local level are covered under the separate statute RCW 42.56.590, which imposes substantially similar obligations.

Third-party service providers that maintain data on behalf of another business must notify the data owner or licensee immediately following discovery of a breach. The data owner then bears responsibility for consumer and AG notification.

What Qualifies as Personal Information

Washington's definition of personal information is among the broadest in the country. Under RCW 19.255.010, personal information means a resident's first name or first initial and last name combined with any of the following unencrypted data elements:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password
• Full date of birth
• Private key that is unique to an individual and used to authenticate or sign an electronic record
• Student identification number
• Military identification card number
• Passport number
• Health insurance policy number or health insurance identification number
• Medical history or information about mental or physical conditions, diagnoses, or treatment
• Biometric data generated from measurements or analysis of human body characteristics (such as fingerprint, retina, or iris images)
• Username or email address combined with a password or security questions and answers that permit access to an online account

The inclusion of date of birth, student IDs, military IDs, passport numbers, health insurance information, and full medical records makes Washington's definition substantially broader than most states. The 2019 amendments through HB 1071 added several of these categories.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

What Triggers the Notification Requirement

A breach of the security system under Washington law is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity.

Three conditions must be met for notification to be required:

1. Personal information was, or is reasonably believed to have been, acquired by an unauthorized person
2. The personal information was not secured (i.e., not encrypted or otherwise rendered unusable)
3. The breach is reasonably likely to subject consumers to a risk of harm

The risk-of-harm analysis gives entities some discretion, but the standard is whether harm is "reasonably likely," not whether it has already occurred. Good-faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the information is not used or disclosed in an unauthorized manner.

The 30-Day Notification Deadline

Washington requires notification in the most expedient time possible and without unreasonable delay, but no later than 30 days after the breach was discovered.

This 30-day deadline, introduced by HB 1071, is one of the shortest in the country. Before the 2019 amendments, the deadline was 45 days.

The clock starts from the date the breach was discovered, not from the date the breach itself occurred. However, organizations should not delay their investigation as a means of avoiding the timeline.

Law enforcement may request a delay in notification if it would impede a criminal investigation. The entity must provide notification promptly after law enforcement determines notification will no longer compromise the investigation.

What the Consumer Notice Must Include

Washington law specifies required content for breach notification letters. The notice must include:

• The name and contact information of the reporting entity
• A list of the types of personal information that were or are reasonably believed to have been the subject of the breach
• The toll-free telephone numbers and addresses of the major credit reporting agencies (if the breach exposed financial data, Social Security numbers, or other data relevant to credit monitoring)

The notice must be written in plain language. Entities are encouraged, though not strictly required, to also include a description of the incident, steps taken to address the breach, and recommendations for consumers to protect themselves.

Attorney General Notification

When a breach affects more than 500 Washington residents, the entity must notify the Washington Attorney General's office within the same 30-day window.

The AG notification is submitted via an online Data Breach Notification Web Form. The notice must include:

• The number of Washington consumers affected or potentially affected
• A list of the types of personal information breached
• The time frame of exposure (if known)
• A summary of steps taken to contain the breach
• A sample copy of the security breach notification sent to consumers

The AG's office maintains a public Data Breach Notifications Directory on its website, listing all reported breaches.

Substitute Notice

Washington allows substitute notice when direct notification is not feasible. An entity may use substitute notice if:

• The cost of providing direct notice would exceed $250,000
• The affected class exceeds 500,000 people
• The entity does not have sufficient contact information

Substitute notice must include email notification (if email addresses are available) and conspicuous posting on the entity's website.

Encryption Safe Harbor

Washington provides an encryption safe harbor. If the personal information was secured (encrypted, redacted, or otherwise rendered unusable) at the time of the breach, notification is not required.

The definition of "secured" means encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard, or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.

If the encryption key was also compromised in the breach, the safe harbor does not apply.

Interaction with Federal Regulations

Entities that maintain notification procedures pursuant to federal law or regulation, including HIPAA and the Gramm-Leach-Bliley Act, are deemed in compliance with Washington's notification requirements if they comply with their federal obligations.

However, these entities must still comply with the 30-day AG notification requirement when more than 500 Washington residents are affected.

Enforcement and Private Right of Action

Washington's breach notification law is enforceable under the Consumer Protection Act (RCW 19.86). This has two important implications:

Attorney General Enforcement: The Washington Attorney General can bring enforcement actions treating violations as unfair or deceptive acts. The AG can seek injunctive relief, civil penalties, and restitution.

Private Right of Action: Unlike most states, Washington allows individual consumers injured by a notification violation to bring a civil lawsuit. Consumers may recover:

• Actual damages sustained
• Up to $1,000 in punitive damages for willful violations
• Costs and reasonable attorney's fees

This private right of action makes Washington one of the more plaintiff-friendly states for breach notification enforcement. Consumers do not need to wait for the AG to act; they can pursue claims independently.

Government Agency Requirements

State and local government agencies in Washington are governed by RCW 42.56.590, which mirrors the private-sector requirements. Government agencies must:

• Notify affected residents within 30 days of discovery
• Notify the AG when more than 500 residents are affected
• Provide the same content in their notification letters

Government agencies are additionally required to maintain procedures and practices consistent with guidelines developed by the Office of the Chief Information Officer.

More Washington Laws

• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Recording Laws
• Washington Data Privacy Laws
• Washington Recording Laws

Sources and References

This article references Washington state statutes and official guidance from the Washington Attorney General's office. Nothing in this article constitutes legal advice. Consult a licensed attorney in Washington for guidance on specific compliance obligations.

• RCW 19.255.010: Personal Information, Notice of Security Breaches
• RCW 42.56.590: Government Agency Breach Notification
• Washington AG: Data Breach Notification Laws
• Washington AG: HB 1071 FAQ
• Washington AG: Data Breach Notifications Directory
• Washington AG: Data Breach Resource Center
• Washington AG: Identity Theft and Privacy Guide for Businesses