Washington educational resource

Washington Data Breach Notification: An Operator's Guide

Washington's private-entity data breach notification statute, Chapter 19.255 RCW, requires any person or business that owns or licenses computerized personal information about Washington residents to disclose a breach of system security to affected residents, and in many cases to the Washington Attorney General. This guide walks through the definitions, the encryption safe harbor, the consumer and AG notice timing, the vendor and SaaS issues, and how the Washington framework compares to California's notification regime. It is an educational resource, not Washington legal advice.

Last legally reviewed: 2026-05-17. Citations verified against Chapter 19.255 RCW and RCW 19.255.010.

Quick answer

If unencrypted personal information of Washington residents was acquired by an unauthorized person, the operator that owned or licensed the data must notify affected Washington residents and, if the breach affects more than 500 Washington residents, also notify the Washington Attorney General no more than 30 days after the breach was discovered. There is a defined encryption safe harbor and a defined process for breaches where the operator was a vendor or processor rather than the data owner.

Statutory intent

The legislature stated the policy reason for the statute plainly: the Attorney General should receive notification when breaches occur so that appropriate action can be taken to protect consumers, and consumers whose personal information has been jeopardized should be given the information they need to secure financial accounts and minimize harm from identity theft. That intent is the lens any close call should be read through.

What counts as personal information

"Personal information" under RCW 19.255.010 is, in essence, a Washington resident's first name or first initial and last name in combination with one or more defined data elements that are not encrypted or otherwise secured. The data-element categories include (without re-quoting the statute verbatim here, because the list has been amended over time and the current operative text controls):

Social Security numbers.
Driver's license or Washington identification card numbers.
Account numbers, credit or debit card numbers, in combination with any required security or access code or password.
Full date of birth.
Private key uniquely used to authenticate or sign an electronic record.
Student, military, or passport identification numbers.
Health insurance policy numbers or identifiers.
Medical information, including a history or condition.
Biometric data generated by automatic measurements of an individual's biological characteristics.
Username or email address in combination with a password or security question and answer.

Read the current statutory list at RCW 19.255.010 before deciding what is or is not personal information in a specific incident; the categories above are a working summary, not a substitute for the statute.

What counts as a breach of system security

The statute defines a "breach of the security of the system" by reference to unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. The standard is acquisition, not mere exposure: a misconfigured database that was never accessed by an unauthorized person, and that the operator can confirm was not acquired, is not automatically a breach for notice purposes. That said, the burden of demonstrating that the data was not in fact acquired generally falls on the operator. Forensic investigation matters.

Encryption safe harbor

Notice obligations attach only when the personal information is acquired in unencrypted or otherwise unsecured form. Encrypted data acquired without the corresponding decryption key, password, or other means to render the data readable does not, by itself, trigger notice. Personal information must be disclosed if the data was not secured during the breach, or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person at the same time.

Practical lesson: encryption is real protection, but only end-to-end. If the attacker took the database and the secrets vault, the encryption safe harbor does not apply.

Timing of notice

Consumer notice

Notice to affected Washington residents must be made in the most expedient time possible and without unreasonable delay, no more than 30 calendar days after the breach was discovered, subject to the legitimate needs of law enforcement and the time reasonably necessary to determine scope and restore reasonable system integrity.

Attorney General notice

If a single breach affects more than 500 Washington residents, the operator must also notify the Washington Attorney General. The statute makes the AG-notice timing explicit:

"[Any person or business required to issue notice to more than five hundred Washington residents as a result of a single breach] shall notify the attorney general of the breach no more than thirty days after the breach was discovered." (paraphrasing RCW 19.255.010)

The AG notification has defined content requirements (number of affected Washington residents, types of personal information involved, time frame, description of the breach, steps taken to contain the breach, contact information). The AG notification must be updated if any required information is unknown at the time the notice is due.

Content of consumer notice

Statutory consumer notice content includes the toll-free numbers and addresses of the consumer reporting agencies and the Federal Trade Commission, a description of the personal information that was or was reasonably believed to have been acquired, a time frame, contact information, and recommended steps to protect against identity theft and to dispute fraudulent transactions.

Vendor and SaaS issues

This is the part of the statute most relevant to SaaS operators. If the operator licenses or processes personal information that it does not own, the operator's obligation runs to the owner or licensee of the information, not directly to affected residents. The processor must notify the owner immediately on discovery, and the owner then carries the consumer and AG notice obligations.

That allocation in the statute is not the same as the allocation in the contract. SaaS DPAs routinely allocate breach obligations between customer and vendor, including:

Vendor's notification deadline to the customer (often shorter than the statutory deadline to give the customer time to comply).
Whether the vendor or customer is responsible for sending the consumer notices and managing the AG notification.
Cost allocation for forensic investigation, credit monitoring, call center, and notification mailings.
Indemnification scope, including whether breach response costs are inside or outside the contractual liability cap.

I will say this directly: a SaaS provider who has not negotiated breach allocation language with its enterprise customers is taking a meaningful risk. Breach response is expensive. Generic mutual indemnities almost never produce the result either side actually wants in a real incident.

Comparison to California breach notification

California Civil Code Sections 1798.29 and 1798.82. California requires notice to affected California residents and, in many breaches, notice to the California Attorney General when the breach affects more than 500 California residents. California's definition of personal information is similar but not identical to Washington's, including category-specific provisions for medical information under the Confidentiality of Medical Information Act (CMIA) and for sensitive personal information under the CPRA. California requires sample notices to be filed with the AG.

Washington Chapter 19.255 RCW. Washington requires consumer notice no more than 30 days after discovery (subject to law enforcement delay), and AG notice for breaches affecting more than 500 Washington residents within the same 30-day window. The categories of personal information overlap with California's but are statutorily distinct.

Practical implication. Most SaaS operators serving both states need a single incident response plan that defaults to the strictest applicable standard. The plan should produce a Washington AG submission, a California AG submission, consumer notices in both states, and any HIPAA or sector-specific notifications, on parallel timelines.

Contractual allocation of breach obligations

SaaS terms of service and data processing addenda routinely allocate breach obligations between operator and customer. The clauses most worth getting right:

Definition of "Security Incident" and the trigger that activates the vendor's obligations.
Vendor's notification deadline to the customer (often 24, 48, or 72 hours from discovery).
Required content of the vendor's notice to the customer (what was acquired, when, scope, containment).
Authority and responsibility for forensic investigation, including cooperation duties and access to logs.
Cost allocation for breach response services (forensics, legal review, consumer notice, credit monitoring, regulatory submissions).
Carve-outs from the contractual liability cap for breach-related costs, where they exist.
Indemnification and insurance requirements (cyber and tech E&O).

Washington legal leverage

Two facts about Chapter 19.255 RCW carry the most weight in practice. First, the AG-notification trigger is fixed at more than 500 Washington residents in a single breach, with a hard 30-day window from discovery; that timeline is the controlling deadline for most multi-state breaches because the consumer-notice obligation runs in parallel. Second, the encryption safe harbor is binary: encrypted plus key-protected is safe; everything else is in scope. A breach response plan calibrated to these two facts is materially more useful than a generic incident response template that treats all states the same.

Incident response readiness checklist

Written incident response plan with named roles (executive sponsor, security lead, legal lead, communications lead, outside counsel, outside forensics).
Data inventory showing where personal information of Washington residents lives.
Encryption and key management policy that supports the statutory safe harbor.
Logging and forensic readiness sufficient to determine acquisition versus exposure.
Vendor and processor inventory with breach notification SLAs in each contract.
Template AG submission, consumer notice, and customer notice, pre-cleared with counsel.
Tabletop exercises at least annually.
Cyber insurance with breach response coverage and a pre-selected breach coach.

When attorney involvement matters

For a routine breach (a few dozen affected residents, encrypted backup snapshot acquired and recovered, no AG notice required), a well-prepared internal team can usually run the response with light legal review.

Attorney involvement is where I see it earn its cost on:

Breaches that cross the 500-resident AG-notice threshold in any one state.
Breaches involving health information, biometric data, or children's data.
Breaches where the vendor and customer dispute who owns the response.
Breaches with potential regulatory parallel exposure (HIPAA, GLBA, SEC reporting, FTC).
Any breach where attorney-client privilege over the investigation is desirable, which is most of them.

Service packages

Privacy policy review. Existing privacy policy reviewed against Washington, California, and federal expectations, including breach notification disclosures. Typical engagement: $500.

Data breach response memo. Written legal analysis of a specific incident: scope of notification obligations under Washington and other applicable state statutes, recommended timeline, content of notices, vendor and customer allocation. Typical engagement: $900.

Incident response letter package. Consumer notice, AG notice, and customer notice templates drafted to the specific incident, plus regulator submission. Typical engagement: $1,500.

Related resources

For SaaS terms drafting, see my Washington SaaS Terms Guide. For California privacy and breach analogs, see the California Privacy Hub. For more context, see the Washington Business Law hub.

Get a Washington-aware data breach response

Currently educational only on Washington-specific legal representation. Contract drafting, privacy policy review, and incident response memo work can be handled now under my California license with explicit Washington-coverage disclaimers, calibrated to Chapter 19.255 RCW. For active incident response, email me directly and I will respond same business day.

Request breach response inquiry Join the Washington availability list Schedule a $125 strategy call (CA-licensed)

Educational content only. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. This page does not create an attorney-client relationship and is not Washington legal advice.