DBN Statutes – Washington

Data Breach Notification Statutes – Washington

Last Updated: 02/28/2024

  • Applicable Statute: Wash. Rev. Code §§ 19.255.005–.040C
  • Attorney General Notice Required: Yes, if more than 500 residents are notified, the subject entity must also notify the Attorney General.
  • Timing : Within 30 days after discovery.
  • Method: Online form at https://fortress.wa.gov/atg/formhandler/ago/databreachnotificationform.aspx
  • Content : Such notice must include the number of Washington consumers affected, or an estimate if the exact number is not known; a list of the types of personal information that were or are reasonably believed to have been impacted; the time frame of exposure, if known, including the date of the breach and the date of the discovery; and a summary of steps taken to contain the breach. The entity must submit a single sample copy of the security breach notification, excluding any personally identifiable information. The notice to the Attorney General must be updated if any of the information s unknown at the time notice is due.
  • Consumer Notice Requirements:
  • Timing: Must be made in the most expedient time possible and without unreasonable delay, but no more than 30 calendar days after the breach was discovered, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system. Notice required no more than 30 days after breach is discovered.
  • Content: Must be written in plain language and must include, at a minimum, the following: 
  • The subject entity’s name and contact information;
  • A timeframe of exposure, including the date of the breach and date of discovery, if known;
  • A list of the types of personal information that were, or are reasonably believed to have been, the subject of breach; and
  • The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information
  • Method: Written notice, or electronic notice if consistent with E-SIGN. Substitute notice is available under certain conditions.
  • If a breach involved a username and password, notice can be sent electronically or by e-mail. The notice must meet the content requirements of the statute and inform the recipient to promptly change their password and take other steps to protect their information. If the breach involves login credentials of an e-mail account furnished by the subject entity, the entity cannot provide notice by e-mail to that account.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required