Washington data breach notification checklist: the operative items Chapter 19.255 RCW requires you to hit
When a Washington business discovers a security incident, the operative legal questions are narrower than they feel in the moment. Chapter 19.255 RCW imposes consumer-notice and Attorney-General-notice obligations on operators that own or license unencrypted personal information of Washington residents, with a thirty-day window from discovery, a five-hundred-resident AG trigger, an encryption safe harbor that only holds when the decryption key was not also acquired, and statutory content requirements for the notice itself. The mistake I see most often is rushing notice before scope is determined or, in the other direction, treating the thirty-day window as soft. The checklist below is the framework I walk an operator through before notice goes out. It is an educational resource, not Washington legal advice for a specific incident.
Ask my AI Legal Analyst about Washington consumer health data and MHMDA?
Tap a question for an instant, free answer (no email needed), or describe your product and the analyst routes you to the right next step.
Common Washington consumer-health-data questions, always free
Scope decision: is this actually in Ch. 19.255?
- Confirm Washington residents are affected. Out-of-state residents follow their own state statute.
- Confirm "personal information" within RCW 19.255.010: name plus a listed identifier (SSN, driver's license, account+code, full date of birth, biometric data, login credentials, others). Name-only or email-only generally does not qualify.
- Confirm acquisition versus exposure. The statute reaches unauthorized acquisition, not bare exposure. A misconfigured database the operator can prove was not acquired is treated differently from one where acquisition cannot be ruled out. Burden of proof is on the operator.
- Run the encryption safe harbor: was the data encrypted, and were the keys, passwords, or other unlocking means protected? Both must be true for the safe harbor to apply.
- If health, wellness, biometric, mental-health, reproductive, or gender-affirming data is involved, escalate to the MHMDA framework (Chapter 19.373 RCW) in parallel; that statute has its own structure.
Timing: the 30-day clock and the AG trigger
- Consumer notice no more than thirty calendar days from discovery, in the most expedient time possible, without unreasonable delay (RCW 19.255.010).
- AG notice within the same thirty-day window when a single breach affects more than five hundred Washington residents.
- Allowable delay: legitimate needs of law enforcement (document the written delay request and the lift), plus time reasonably necessary to determine scope and restore reasonable system integrity. Discretionary delay is not on the menu.
- Update the AG submission if any required information was unknown at the time the notice was due.
Content: what the consumer notice has to say
- A description of the personal information that was or was reasonably believed to have been acquired.
- A time frame of the breach.
- Contact information for the operator.
- Recommended steps to protect against identity theft and to dispute fraudulent transactions.
- Toll-free numbers and addresses of the major consumer reporting agencies and the Federal Trade Commission.
- Plain English. The notice is a consumer communication; aggressive corporate hedging in the notice creates Consumer Protection Act exposure all by itself.
Content: what the AG submission has to include
- Number of affected Washington residents.
- Types of personal information involved.
- Time frame of the breach.
- Description of the breach.
- Steps taken to contain the breach.
- Operator contact information.
- Update obligation if any required item was unknown at the time of the original AG submission.
Vendor and processor allocation
- If you are the data owner, your processor's notice obligation under RCW 19.255.020 runs to you. The consumer-notice and AG-notice obligations remain with you.
- If you are the processor, notify the owner promptly on discovery. Document the notice in writing.
- Read the data processing agreement before sending anything. The DPA typically sets the contractual notice window (often twenty-four, forty-eight, or seventy-two hours), the cost allocation for forensic and notification work, the indemnification scope, and any carve-out from the contractual liability cap for breach-related costs.
- Coordinate the public-facing notice content with the owner. Inconsistent statements are CPA risk.
Enforcement exposure: the consumer-protection section at RCW 19.255.040
- RCW 19.255.040 is the consumer protection section of Chapter 19.255. It gives the Attorney General CPA-style enforcement authority for Chapter 19.255 violations and separately lets an injured consumer bring a civil action for damages and injunctive relief.
- The statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090. Do not assume the full RCW 19.86.090 private CPA remedy stack (treble damages, one-way attorney's fees) automatically applies to a breach-notification claim.
- A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements (unfair or deceptive act, in trade or commerce, public-interest impact, injury to business or property, causation).
- Four-year statute of limitations under RCW 19.86.120 applies to any independent Chapter 19.86 claim.
Litigation preservation
- Preserve logs, forensic images, chain-of-custody documentation, and the timeline.
- Maintain attorney-client privilege over the investigation by retaining counsel before the forensic engagement when feasible.
- Preserve all communications with affected consumers, regulators, vendors, and the media.
- Coordinate with cyber insurance; many policies require notice and pre-approved breach-coach selection within tight windows.
Why the encryption safe harbor is binary, not partial
Encryption only protects when the decryption key, password, or other means to render the data readable was not also acquired by the unauthorized person. Partial encryption is not the safe harbor. Key-protected encryption is. The operator bears the burden of demonstrating that the safe harbor applies; the demonstration is built from key-management policy, access logs, and the forensic analysis of what the attacker actually took. Document this posture before the incident, not after.
What I review when you send a Washington breach matter
When you send the incident timeline, the data inventory, the encryption posture, the current draft consumer and AG notices, the DPA with any vendor or processor in the chain, and the forensic summary, I walk Ch. 19.255 against the specific facts and tell you where the content is adequate, where the timing is off, where the safe-harbor documentation needs to be stronger, and what the AG submission still needs. The output is a written evaluation, not a sales pitch.
Payment
Flat fee, paid up front through a secure PayPal checkout, so the budget is fixed before any work starts. The Written Attorney Consultation is a flat $240. There is no hourly meter and no surprise invoice. If a matter is unusually large or turns into extended negotiation, I tell you before any additional work and we agree on scope first.
Delivery
Drafts in 2 to 3 business days, even for complex agreements. I work weekends when a matter needs it and it is engaged. You receive the work product by email in an editable format, with brief written comments explaining the key issues and the reasoning behind the main choices.
Process
- Send the materials. Email me your current documents, screenshots, and a short description of the product and the Washington consumers it touches.
- I confirm scope and run a conflict check. Engagement begins only after that check and a written confirmation of what is included.
- I draft or review. You get the deliverable with plain-language comments on the highest-risk items first.
- We refine. Reasonable revision rounds are included so the final version fits how your product actually works.
Scope
This is attorney-supervised regulatory and document work under my California license: issue spotting, compliance planning, drafting, and review. It is not Washington court representation. For Washington filings, litigation, or any court appearance, I coordinate with Washington-admitted counsel. Nothing here creates an attorney-client relationship until a conflict check clears and an engagement is confirmed in writing.
Send your question, a short factual summary, and your key documents. You get a written attorney response identifying the main legal issues, the risks, and the practical next steps, so you know whether you have a real exposure and what to do about it. Provided under my California license; for Washington court representation I coordinate with Washington-admitted counsel.
See the full Washington MHMDA resource → or email me directly for a scoped quote.
Primary sources
- RCW 19.255.005: legislative intent.
- RCW 19.255.010: definitions, consumer notice, AG notice, encryption safe harbor.
- RCW 19.255.020: processor and vendor notice obligations.
- RCW 19.255.040: consumer protection section; AG enforcement and consumer civil action for damages and injunctive relief, with the carve-out from RCW 19.86.090.
- RCW 19.86.090: CPA private action (only if a separate Chapter 19.86 claim is independently supported).
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. Nothing on this page creates an attorney-client relationship.