Washington privacy incident response memo: what a useful written memo actually covers
A privacy incident response memo for a Washington operator is not a forensic report and is not a press statement. It is a written legal document that fixes the scope of the operator's obligations under Chapter 19.255 RCW (breach notification) and, where applicable, Chapter 19.373 RCW (MHMDA), explains what the operator is required to do and by when, and recommends a specific next step. The structure below is what I look for in a memo, and it is the structure I use when I write one as part of a written attorney evaluation. The memo is not a substitute for engaged outside counsel or a breach coach; it is the document that lets the leadership team make a decision based on the actual legal framework rather than on a vendor's slide deck.
Section 1: Facts as presented
Short narrative summary of what happened, when it was discovered, what data is plausibly involved, and what the operator has done so far. Avoid speculation; identify the items that are confirmed and the items still under investigation. The memo is a litigation-record candidate and should read as one.
Section 2: Scope under Ch. 19.255 RCW
Does the incident involve "personal information" of Washington residents as defined at RCW 19.255.010? Is the matter an unauthorized acquisition or only an exposure? Where the operator can credibly show no acquisition, the memo says so and identifies the evidence; where acquisition cannot be ruled out, the memo treats the matter as in scope. The encryption safe-harbor analysis sits in this section: encrypted plus key-protected qualifies; anything else is in scope.
Section 3: Timing posture
The thirty-day consumer-notice clock from RCW 19.255.010. Where the discovery date is, where the current date is, what the remaining window is, what the documented basis (if any) for delay under law enforcement is, and what time is reasonably necessary to determine scope. If the matter affects more than five hundred Washington residents in a single breach, the AG-notice trigger runs in parallel.
Section 4: Content requirements
Statutory consumer-notice content (categories acquired, time frame, contact information, recommended steps to protect against identity theft and dispute fraudulent transactions, toll-free numbers and addresses of the consumer reporting agencies and the FTC). Statutory AG-submission content (number of affected Washington residents, categories, time frame, description, containment steps, contact information). Where the current draft is short of any item, the memo says so and provides the missing language.
Section 5: Vendor and processor allocation
Where a vendor or processor is in the data chain, RCW 19.255.020 requires that party to notify the owner promptly; the owner carries consumer and AG notice. The DPA usually contains a more specific notice window, cost allocation, indemnification scope, and any carve-out from the contractual liability cap for breach-related costs. The memo reconciles the contractual and statutory postures and flags any inconsistency.
Section 6: MHMDA escalation (if applicable)
If the affected data includes health, wellness, biometric, mental-health, reproductive, or gender-affirming data, Chapter 19.373 RCW (MHMDA) is in the matter in parallel. The memo flags the consumer-health-data privacy policy obligation under RCW 19.373.020, the consent and sale/share authorization framework under RCW 19.373.030 and following, and the per se Consumer Protection Act hook at RCW 19.373.090. MHMDA has its own framework; the memo coordinates the postures rather than replacing the Ch. 19.255 analysis. For an extended comparison, see data breach vs. MHMDA.
Section 7: Enforcement exposure
RCW 19.255.040 is the consumer protection section of Chapter 19.255. It gives the Attorney General CPA-style enforcement authority for Chapter 19.255 violations and separately lets an injured consumer bring a civil action for damages and injunctive relief. The statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090, so do not assume the full RCW 19.86.090 private CPA remedy stack (treble damages, one-way attorney's fees) automatically applies to a breach-notification claim. A separate Chapter 19.86 CPA claim may still be available if the facts independently satisfy the CPA elements, in which case the four-year statute of limitations under RCW 19.86.120 applies to that independent claim. The memo identifies the likely individual versus class versus AG enforcement exposure based on the scale and category of the incident.
Section 8: Recommended next step
Specific and actionable. Revise the consumer-notice content along these lines. File the AG submission by this date. Issue the parallel multi-state notices in this order. Engage breach coach under the cyber-insurance policy. Coordinate public-facing language with the vendor. Preserve these specific categories of evidence. The recommendation is one a decision-maker can act on without further interpretation.
What a useful memo is not
A useful Washington privacy incident memo is not a regulatory survey of every state's breach statute. It is not a forensic report. It is not a recital of the company's security controls. It is a narrow document calibrated to the operator's actual obligations under Chapter 19.255 RCW and (where applicable) Chapter 19.373 RCW, in the specific incident facts. A memo that wanders into security controls or comparative-statute appendices is usually padding produced by a template tool. A memo that names the operative subsections and applies them to the facts is the document you actually want.
What to send for a written incident memo
- Incident timeline with discovery date.
- Data inventory or system-affected summary.
- Encryption posture and key-management documentation.
- Forensic report (interim or final), if available.
- Current draft consumer notice and AG submission.
- DPAs with any vendor or processor in the chain.
- Cyber-insurance coverage summary.
- Any law-enforcement delay request and the lift, if any.
Send to owner@terms.law with subject "Washington privacy incident memo - $125." Two business-day turnaround.
Primary sources
- RCW 19.255.010
- RCW 19.255.020
- RCW 19.255.040 (consumer protection section: AG enforcement and consumer civil action for damages and injunctive relief, with the carve-out from RCW 19.86.090)
- RCW 19.86.090 (CPA private action; available only if a separate Chapter 19.86 claim is independently supported on the facts)
- RCW 19.373.090 (MHMDA per se CPA hook, if health data is in scope).
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.