Washington data breach exposed your information and the company stayed silent? Demand letter strategy under Ch. 19.255 RCW and the consumer protection section
Washington's data breach statute, Chapter 19.255 RCW, requires a business that owned or licensed your unencrypted personal information to notify you within thirty days of discovering an unauthorized acquisition, with a parallel notice to the Washington Attorney General when more than five hundred Washington residents are affected in a single breach. When the business misses that window, downplays the scope, or sends a vague form letter that does not match the statutory content requirements, RCW 19.255.040 is the consumer protection section: it gives the Attorney General CPA-style enforcement authority and separately lets an injured consumer bring a civil action for damages and injunctive relief, but the statute itself says an action to enforce Ch. 19.255 may not be brought under RCW 19.86.090. The honest answer up front: most of the consumer-side recovery in a Washington breach matter comes through the AG, an FTC parallel action, or a class case, not a single individual demand letter. A well-built individual letter still does real work, but its job is usually to preserve rights, get a credible recovery offer, and document the company's response for any later collective action.
Fast triage: does Ch. 19.255 actually apply to your matter?
Before I read the documents I run five fast questions. The answers tell me whether the matter sits inside Ch. 19.255 with the consumer protection section in play, sits inside MHMDA (the separate health-data statute at Chapter 19.373 RCW), or is a contract or negligence claim wearing privacy clothes.
- Were you a Washington resident at the time the breach happened? Ch. 19.255 protects Washington residents specifically; out-of-state residents notified by a Washington business follow their own state's statute.
- Did the breach involve "personal information" as defined at RCW 19.255.010? That is name plus one of the listed identifiers (SSN, driver's license, account number with security code, full date of birth, biometric data, login credentials, and others). Email-only or name-only does not always qualify.
- Was the data unencrypted or was an attacker able to acquire both the encrypted data and the decryption key, password, or other unlocking means? Encrypted-and-key-protected data triggers the safe harbor.
- Did the company actually send notice? If yes, was it within thirty days of discovery, and did the consumer notice include the statutory content (categories acquired, time frame, steps to take, toll-free numbers for the consumer reporting agencies and the FTC)?
- Did the breach plausibly affect more than five hundred Washington residents in a single breach? If yes, the AG notice obligation runs in parallel and is independently checkable on the AG breach archive.
If you answer yes to one through three, and the answer to four is "no notice, late notice, or insufficient notice," the matter has the shape of a Ch. 19.255 demand-letter candidate. If the affected data is health, wellness, biometric, mental-health, reproductive, or gender-affirming data, the matter probably also implicates MHMDA, which has its own consent-and-policy framework. I cover that separately at the data breach vs. MHMDA comparison.
The legal hooks: how Washington frames a breach-notification failure
RCW 19.255.010 imposes the consumer-notice obligation on any person or business that owns or licenses computerized personal information about Washington residents. Notice must be made in the most expedient time possible and without unreasonable delay, no more than thirty calendar days after the breach was discovered, subject only to the legitimate needs of law enforcement and the time reasonably necessary to determine scope and restore reasonable system integrity. Source: RCW 19.255.010.
The same section sets the AG-notice trigger. If a single breach affects more than five hundred Washington residents, the operator must also notify the Washington Attorney General no more than thirty days after the breach was discovered, with statutory content requirements (number of affected Washington residents, types of personal information involved, time frame, description of the breach, steps taken to contain the breach, contact information). The AG notice has to be updated if any required information is unknown at the time the notice is due. The same statute sets the consumer-notice content: a description of the personal information that was or was reasonably believed to have been acquired, a time frame, contact information, and recommended steps to protect against identity theft and to dispute fraudulent transactions, including the toll-free numbers and addresses of the consumer reporting agencies and the Federal Trade Commission.
RCW 19.255.020 imposes the parallel obligation on a non-owner that maintains computerized personal information on behalf of an owner or licensee: prompt notice to the owner or licensee, who then carries the consumer and AG notice. Vendors and processors live in this section. The statute does not put the consumer-notice obligation directly on the processor; that allocation is in the contract and runs through the data owner.
RCW 19.255.040 is the consumer protection section. It gives the Attorney General CPA-style enforcement authority for Chapter 19.255 violations under the public-interest and unfair-or-deceptive framework, and it separately lets an injured consumer bring a civil action for damages and injunctive relief. The statute itself says, however, that an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090. That means I do not assume the full RCW 19.86.090 private CPA remedy stack (treble damages capped at twenty-five thousand dollars per RCW 19.86.020 violation, one-way attorney's fees) automatically attaches to a breach-notification claim. A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements (unfair or deceptive act, in trade or commerce, public-interest impact under RCW 19.86.093, injury to business or property, causation), and the four-year statute of limitations under RCW 19.86.120 applies to that independent claim.
RCW 19.255.030 is a separate provision addressing federal-law and HIPAA covered entities, financial institutions subject to Gramm-Leach-Bliley, and similar federally regulated actors. It is not the consumer enforcement section for the average Washington breach matter.
Where the breach-notification claim breaks down for an individual consumer
The honest part of the analysis. Even when Ch. 19.255 plainly applies and RCW 19.255.040 supplies a consumer civil action for damages and injunctive relief, an individual consumer's damages on a breach claim are usually hard to quantify in advance of fraud actually occurring on the account. Identity-theft monitoring, time spent freezing credit, and out-of-pocket fees may qualify as recoverable damages, but they are often small relative to the cost of litigating. The leverage in a Washington breach matter is usually class-scale or AG-scale, not individual-scale, and the statute foreclosing the RCW 19.86.090 remedy stack for a Chapter 19.255 claim makes that even more true. An individual demand letter still does meaningful work, preserving the limitations period, putting the company on written notice that you know the statute, documenting the gap between the company's notice and the statutory content requirements, and creating a record that travels into any later class case. But I will tell you up front whether your matter realistically supports a one-letter recovery, whether the AG or FTC complaint route is more practical, or whether you are best served waiting for the inevitable class action.
What a Washington breach demand letter should do
A breach demand letter is calibrated to the notice failure and the consumer protection section, not to the breach itself. The company did not commit the breach against you (an attacker did); the company committed the notice violation. A well-built letter usually does each of the following.
- Identifies the breach by date, scope, and the category of personal information involved, using the company's own notice (or lack of it) and the AG breach archive as the record.
- Identifies the specific Ch. 19.255 obligation the company failed: late consumer notice past the thirty-day window, missing AG notice on a 500-plus breach, missing statutory content in the consumer notice (no time frame, no FTC numbers, no CRA contact information), or quiet retreat to a "out of an abundance of caution" letter when the statute required real notice.
- Cites the consumer protection section at RCW 19.255.040 for the AG enforcement framework and the consumer civil action for damages and injunctive relief, and references any independently available RCW 19.86.090 claim without assuming the full CPA remedy stack auto-routes from Chapter 19.255.
- Quantifies your injury to property: identity-theft monitoring services you bought, fees to freeze and unfreeze credit, time spent disputing fraudulent transactions documented in writing, and any out-of-pocket loss tied to fraud on the account. A specific arithmetic is more credible than "damages to be proven."
- Demands a specific, accept-able outcome: extended identity-protection coverage, refund of any monitoring you bought yourself, a corrected statutory notice if the prior one was deficient, and a written commitment that the company will preserve breach-related records.
- Preserves the four-year CPA SOL by sending the letter in writing and documenting transmission (certified mail with return receipt plus email to the company's privacy or compliance contact).
- Reserves the option to refer the matter to the Washington Attorney General, the FTC, and class counsel without threatening any of those in a way the company would read as theatre.
Documents to gather before the letter goes out
- The company's breach notice (letter, email, or web post), with date sent or posted.
- The Washington AG breach-archive entry for the breach, if one exists. The AG keeps a public archive of breach notifications.
- Any FTC, state-AG, or other regulator notice you have received.
- Bank, credit-card, or payment-app statements showing any fraudulent activity on the account, with dates and dispute outcomes.
- Receipts for identity-theft monitoring you purchased, credit-freeze fees, and time records of work you missed dealing with fallout.
- A short timeline of when the breach happened (per the company's notice), when you discovered it, and what you did in response.
When this becomes worth hiring an attorney
An attorney-drafted Washington breach demand letter is more likely to change the outcome when you have documented fraud or out-of-pocket loss in the hundreds of dollars or higher, when the company's notice has a clear statutory defect (missing content, missed window, or no AG notice on a 500-plus breach), and when the company is a real business with assets and a brand worth protecting. It is less likely to change the outcome when the only injury is exposure with no fraud yet, when the data category is borderline (email-and-name without an authenticator), or when a class action is already pending and your individual claim will be absorbed there.
What I review when you send a Washington breach matter
Most Washington breach matters belong in one of three buckets: a tightly scoped individual letter that gets a monitoring extension and a small cash settlement, an AG or FTC complaint that I help draft for free or as part of a $125 evaluation, or a referral into an existing or pending class case. When you send the file I read the notice, walk the Ch. 19.255 elements against the specific facts, and form an honest view of which bucket fits. The output is a written evaluation, not a sales pitch. If the matter does not support a $575 demand letter, I will say so and route you to the cheaper path.
Primary sources
- RCW 19.255.005: legislative intent.
- RCW 19.255.010: definitions, consumer notice, AG notice, encryption safe harbor.
- RCW 19.255.020: processor and vendor notice obligations.
- RCW 19.255.030: federal-law / HIPAA covered entities and Gramm-Leach-Bliley financial institutions.
- RCW 19.255.040: consumer protection section. AG CPA-style enforcement plus consumer civil action for damages and injunctive relief. Statute itself precludes action to enforce Chapter 19.255 from being brought under RCW 19.86.090.
- RCW 19.86.090: CPA private action, treble enhancement, attorney's fees, available only for an independent Chapter 19.86 claim that satisfies the CPA elements on its own facts.
- RCW 19.86.093: codification of the public-interest paths.
- RCW 19.86.120: four-year statute of limitations.
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship, and nothing on this page is Washington legal advice for a specific matter. A Washington-admitted attorney should verify both the operative statute text and any case citations before relying on them in court or correspondence on a live dispute.