Washington data breach attorney review: the five things I look for before notice goes out
Operators usually send me a Washington data breach matter for written attorney review at one of three points in the incident: before any external communication has gone out, after a draft consumer notice is circulating internally, or after notice has been sent and the operator is trying to understand the enforcement exposure on the back end. The review framework is the same in all three: scope confirmation, timing posture, encryption safe-harbor documentation, content adequacy, and vendor allocation. The five questions below are what I work through when a Washington data breach file lands in my inbox. The output is a written evaluation, not a sales pitch.
1. Scope: is this actually inside Ch. 19.255?
The first read is whether the matter is in Chapter 19.255 RCW at all. The statute reaches unauthorized acquisition of computerized "personal information" of Washington residents. "Personal information" at RCW 19.255.010 is name plus a listed identifier (SSN, driver's license or Washington identification card number, financial account or credit/debit card number in combination with a security or access code, full date of birth, biometric data, private key for authentication, student/military/passport identifier, health insurance identifier, medical information, or username and email combined with a password or security question and answer). Email-and-name alone, IP-address-only, or behavioral-data-only matters do not always fit; they sometimes find a CPA home under Chapter 19.86 RCW separately. I confirm scope before any other analysis.
2. Timing: where are you in the 30-day window?
The thirty-day consumer-notice clock runs from discovery, not from the breach event. The Attorney General notice obligation runs in parallel when a single breach affects more than five hundred Washington residents. The only allowable delay is for legitimate needs of law enforcement (in writing) plus time reasonably necessary to determine scope and restore reasonable system integrity. Discretionary delay is not a defense. I look at the discovery date, the current date, the documented delay basis (if any), and the AG-trigger threshold.
3. Encryption safe harbor: does the documentation actually support it?
The safe harbor under RCW 19.255.010 applies only when the data was encrypted and the decryption key, password, or other unlocking means was not also acquired. The burden of demonstrating the safe harbor rests on the operator. I look at the key-management policy, the access logs, the forensic determination of what the attacker actually took, and whether the operator can credibly say the keys remained protected. Partial encryption does not qualify. Encrypted-with-key-also-acquired does not qualify.
4. Content adequacy: does the consumer notice say what the statute requires?
Statutory consumer-notice content includes a description of the personal information that was or was reasonably believed to have been acquired, a time frame, contact information, recommended steps to protect against identity theft and dispute fraudulent transactions, and toll-free numbers and addresses of the consumer reporting agencies and the FTC. AG-submission content includes the number of affected Washington residents, types of personal information involved, time frame, description, containment steps, and operator contact information. I read both the consumer notice and the AG submission draft against the statutory content list and flag every gap. I also flag overly hedged language; aggressive corporate hedging in the notice itself creates a separate Consumer Protection Act issue.
5. Vendor allocation: who is on the line, and what does the DPA say?
If a vendor or processor maintained the data, RCW 19.255.020 obliges the vendor to notify the owner promptly; the owner carries consumer and AG notice. The DPA usually allocates more specific obligations: a contractual notice window for the vendor (often twenty-four, forty-eight, or seventy-two hours from discovery), forensic and notification cost allocation, indemnification scope, and any carve-out from the contractual liability cap for breach-related costs. I read the DPA and reconcile the contractual posture with the statutory posture. Inconsistent public statements between owner and vendor create CPA exposure on their own.
What the review output looks like
The written evaluation answers the five questions above against the specific facts. It identifies the strongest enforcement exposure, the weakest part of the operator's current posture, and the recommended next step (revise the consumer notice content, file or update the AG submission, coordinate vendor messaging, or escalate to a breach-coach engagement). It is not a sales pitch for any particular further engagement; if the matter is in good shape, the evaluation will say so.
What to send
- Incident timeline (discovery date, containment date, current status).
- Data inventory or system-affected summary.
- Encryption and key-management posture, plus the forensic determination on what the attacker took.
- Current draft consumer notice and AG submission, plus any prior notices already sent.
- DPAs with any vendor or processor in the data chain.
- Any law-enforcement delay request and the lift (if any).
- The cyber-insurance coverage summary, plus any breach-coach engagement letter.
Send to owner@terms.law with subject "Washington data breach review - $125." Two business-day turnaround.
Primary sources
- RCW 19.255.010: breach definitions, consumer notice, AG notice, encryption safe harbor.
- RCW 19.255.020: processor and vendor notice obligations.
- RCW 19.255.040: consumer protection section; AG enforcement and consumer civil action for damages and injunctive relief, with the carve-out from RCW 19.86.090.
- RCW 19.86.090: CPA private action (available only if a separate Chapter 19.86 claim is independently supported on the facts).
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.