Washington data breach response plan: building a runbook that survives contact with an actual incident
A Washington data breach response plan is not a security document. It is a legal and operational document that lives at the intersection of Chapter 19.255 RCW (breach notification), the security obligations woven through SaaS contracts, and the time pressure created by the thirty-day consumer-notice window. Most plans I review either default to a generic template that does not name the Washington statute, or focus on the technical response and skip the regulatory submission. The runbook below is the structure I look for in a Washington operator's plan. It is educational, not Washington legal advice for a specific incident.
Named roles and decision authority
- Executive sponsor with budget authority. The sponsor decides whether to engage outside counsel, outside forensics, and breach-coach services, and approves the consumer and AG notice content.
- Security lead. Owns the technical containment and forensic analysis, runs the acquisition-versus-exposure determination, and produces the evidence supporting the encryption safe harbor (when applicable).
- Legal lead. Owns the Ch. 19.255 analysis, the consumer notice content, the AG submission, and the multi-state coordination if other states' laws apply.
- Communications lead. Owns the consumer-facing notice voice, the press posture, and the website notice page.
- Outside counsel and outside forensics. Engagement under privilege when feasible; the forensic engagement should run under counsel direction.
- Cyber insurance breach coach. Most policies require notice and pre-approved coach selection within tight windows.
Decision tree: the first 72 hours
- Hour 0: detection. The discovery clock under RCW 19.255.010 begins. Document the discovery time in writing.
- Hour 0 to 4: containment. Limit the blast radius. Preserve logs and forensic images. Do not communicate externally yet.
- Hour 4 to 24: scope and engagement. Engage counsel and outside forensics. Notify cyber insurance. Identify the data categories plausibly involved and the affected jurisdictions. Make the preliminary acquisition-versus-exposure determination.
- Hour 24 to 48: Ch. 19.255 scope. Resolve the encryption safe-harbor analysis (key compromised or not). Estimate the affected Washington residents to evaluate the five-hundred-resident AG trigger. Draft the parallel multi-state matrix.
- Hour 48 to 72: notice planning. Begin drafting the consumer notice and the AG submission against statutory content requirements. Coordinate with the vendor or processor in the chain (if any) on consistent public-facing language.
The 30-day clock and the AG submission
- Consumer notice within thirty calendar days from discovery, in the most expedient time possible.
- AG notice within the same window if more than five hundred Washington residents are affected in a single breach.
- Allowable delay only for legitimate needs of law enforcement (in writing) plus the time reasonably necessary to determine scope and restore integrity. The delay is not discretionary.
- Update the AG submission for any required item that was unknown at the time the notice was due.
Vendor and processor allocation
- If a vendor or processor is in the chain, RCW 19.255.020 obliges that party to notify the data owner promptly on discovery. The owner remains responsible for consumer and AG notice.
- Read the DPA before any external communication. Coordinate with the vendor on consistent statements; inconsistent statements create CPA exposure under Ch. 19.86.
- Document the chain-of-custody of evidence transferred between owner and processor.
Multi-state coordination
- Most operators serve consumers in multiple states. Default the plan to the strictest applicable standard for timing, content, and AG-submission triggers.
- Maintain a state-by-state matrix that the legal lead can update during an incident.
- For HIPAA-regulated entities, the HHS Breach Notification Rule timeline runs in parallel and may be tighter for large incidents.
Documentation discipline
- Preserve logs, forensic images, and the timeline in a litigation-hold posture.
- Memorialize the law-enforcement delay request and the lift, if any.
- Document the encryption safe-harbor analysis with the evidence that supports it.
- Keep a copy of every external communication: notice mailings, AG submissions, website notices, regulator correspondence, vendor communications.
Tabletop and training
- Annual tabletop exercise with the named roles. Score the team against the 30-day clock and the AG-trigger scenarios.
- Update the multi-state matrix annually and after any material amendment to Ch. 19.255 RCW or comparable state statutes.
- Refresh the consumer-notice and AG-submission templates annually; statutes change.
Why a generic template is not a Washington-ready plan
Most off-the-shelf incident response plans default to HIPAA, NIST, or a sector-specific framework. They do not name Chapter 19.255 RCW, they do not encode the thirty-day consumer-notice window, they do not encode the five-hundred-resident AG trigger, and they do not address the encryption safe harbor. The plan you actually want is one that surfaces the operative Washington deadlines and content requirements during the incident, not after. A Washington-ready plan also names the vendor or processor in the data chain and references the specific DPA breach clauses so the contractual notice clock and the statutory clock can be reconciled in real time.
What I review when you send a Washington response plan
When you send the current plan, the data inventory, the encryption and key-management policy, the DPAs with vendors or processors in the data chain, and the most recent tabletop output, I walk the plan against Ch. 19.255 and tell you where the timing, the content, the safe-harbor documentation, and the vendor allocation need to be sharper. The output is a written evaluation, not a sales pitch.
Primary sources
- RCW 19.255.010: breach definitions, consumer notice, AG notice, encryption safe harbor.
- RCW 19.255.020: processor and vendor notice obligations.
- RCW 19.255.040: consumer protection section; AG enforcement and consumer civil action for damages and injunctive relief, with the carve-out from RCW 19.86.090.
- RCW 19.86.090: CPA private action (available only if a separate Chapter 19.86 claim is independently supported on the facts).
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.