Washington educational resource

Washington data breach notification checklist: the operative items Chapter 19.255 RCW requires you to hit

When a Washington business discovers a security incident, the operative legal questions are narrower than they feel in the moment. Chapter 19.255 RCW imposes consumer-notice and Attorney-General-notice obligations on operators that own or license unencrypted personal information of Washington residents, with a thirty-day window from discovery, a five-hundred-resident AG trigger, an encryption safe harbor that only holds when the decryption key was not also acquired, and statutory content requirements for the notice itself. The mistake I see most often is rushing notice before scope is determined or, in the other direction, treating the thirty-day window as soft. The checklist below is the framework I walk an operator through before notice goes out. It is an educational resource, not Washington legal advice for a specific incident.

Last legally reviewed: 2026-05-19. Statute text retrieved from Chapter 19.255 RCW on app.leg.wa.gov on that date.

Scope decision: is this actually in Ch. 19.255?

Confirm Washington residents are affected. Out-of-state residents follow their own state statute.
Confirm "personal information" within RCW 19.255.010: name plus a listed identifier (SSN, driver's license, account+code, full date of birth, biometric data, login credentials, others). Name-only or email-only generally does not qualify.
Confirm acquisition versus exposure. The statute reaches unauthorized acquisition, not bare exposure. A misconfigured database the operator can prove was not acquired is treated differently from one where acquisition cannot be ruled out. Burden of proof is on the operator.
Run the encryption safe harbor: was the data encrypted, and were the keys, passwords, or other unlocking means protected? Both must be true for the safe harbor to apply.
If health, wellness, biometric, mental-health, reproductive, or gender-affirming data is involved, escalate to the MHMDA framework (Chapter 19.373 RCW) in parallel; that statute has its own structure.

Timing: the 30-day clock and the AG trigger

Consumer notice no more than thirty calendar days from discovery, in the most expedient time possible, without unreasonable delay (RCW 19.255.010).
AG notice within the same thirty-day window when a single breach affects more than five hundred Washington residents.
Allowable delay: legitimate needs of law enforcement (document the written delay request and the lift), plus time reasonably necessary to determine scope and restore reasonable system integrity. Discretionary delay is not on the menu.
Update the AG submission if any required information was unknown at the time the notice was due.

Content: what the consumer notice has to say

A description of the personal information that was or was reasonably believed to have been acquired.
A time frame of the breach.
Contact information for the operator.
Recommended steps to protect against identity theft and to dispute fraudulent transactions.
Toll-free numbers and addresses of the major consumer reporting agencies and the Federal Trade Commission.
Plain English. The notice is a consumer communication; aggressive corporate hedging in the notice creates Consumer Protection Act exposure all by itself.

Content: what the AG submission has to include

Number of affected Washington residents.
Types of personal information involved.
Time frame of the breach.
Description of the breach.
Steps taken to contain the breach.
Operator contact information.
Update obligation if any required item was unknown at the time of the original AG submission.

Vendor and processor allocation

If you are the data owner, your processor's notice obligation under RCW 19.255.020 runs to you. The consumer-notice and AG-notice obligations remain with you.
If you are the processor, notify the owner promptly on discovery. Document the notice in writing.
Read the data processing agreement before sending anything. The DPA typically sets the contractual notice window (often twenty-four, forty-eight, or seventy-two hours), the cost allocation for forensic and notification work, the indemnification scope, and any carve-out from the contractual liability cap for breach-related costs.
Coordinate the public-facing notice content with the owner. Inconsistent statements are CPA risk.

Enforcement exposure: the consumer-protection section at RCW 19.255.040

RCW 19.255.040 is the consumer protection section of Chapter 19.255. It gives the Attorney General CPA-style enforcement authority for Chapter 19.255 violations and separately lets an injured consumer bring a civil action for damages and injunctive relief.
The statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090. Do not assume the full RCW 19.86.090 private CPA remedy stack (treble damages, one-way attorney's fees) automatically applies to a breach-notification claim.
A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements (unfair or deceptive act, in trade or commerce, public-interest impact, injury to business or property, causation).
Four-year statute of limitations under RCW 19.86.120 applies to any independent Chapter 19.86 claim.

Litigation preservation

Preserve logs, forensic images, chain-of-custody documentation, and the timeline.
Maintain attorney-client privilege over the investigation by retaining counsel before the forensic engagement when feasible.
Preserve all communications with affected consumers, regulators, vendors, and the media.
Coordinate with cyber insurance; many policies require notice and pre-approved breach-coach selection within tight windows.

Why the encryption safe harbor is binary, not partial

Encryption only protects when the decryption key, password, or other means to render the data readable was not also acquired by the unauthorized person. Partial encryption is not the safe harbor. Key-protected encryption is. The operator bears the burden of demonstrating that the safe harbor applies; the demonstration is built from key-management policy, access logs, and the forensic analysis of what the attacker actually took. Document this posture before the incident, not after.

What I review when you send a Washington breach matter

When you send the incident timeline, the data inventory, the encryption posture, the current draft consumer and AG notices, the DPA with any vendor or processor in the chain, and the forensic summary, I walk Ch. 19.255 against the specific facts and tell you where the content is adequate, where the timing is off, where the safe-harbor documentation needs to be stronger, and what the AG submission still needs. The output is a written evaluation, not a sales pitch.

Primary sources

RCW 19.255.005: legislative intent.
RCW 19.255.010: definitions, consumer notice, AG notice, encryption safe harbor.
RCW 19.255.020: processor and vendor notice obligations.
RCW 19.255.040: consumer protection section; AG enforcement and consumer civil action for damages and injunctive relief, with the carve-out from RCW 19.86.090.
RCW 19.86.090: CPA private action (only if a separate Chapter 19.86 claim is independently supported).

This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship.