Washington SaaS data breach notice review: owner vs. processor allocation under Ch. 19.255 RCW
When a SaaS company hits a Washington data breach, the first legal question is whether the company is the data owner or the processor. Chapter 19.255 RCW allocates obligations very differently between the two. The data owner carries consumer notice and Attorney General notice. The processor's obligation runs to the owner: prompt notice on discovery, with the owner then carrying the public-facing duties. That allocation in the statute is not the same as the allocation in the DPA, which usually narrows the contractual notice window, allocates the cost of forensic and notification work, sets indemnification scope, and sometimes carves out breach-related costs from the contractual liability cap. The review framework below is what I look at when a SaaS operator sends a Washington breach notice for written attorney evaluation. It is educational, not Washington legal advice for a specific incident.
Step 1: which role are you in?
- Data owner: you collected the personal information directly from Washington residents or are the named controller in the DPA. RCW 19.255.010 obligations attach.
- Processor: you maintain personal information on behalf of an owner or licensee. RCW 19.255.020 applies. Your statutory obligation is to notify the owner promptly on discovery.
- Joint: rare but possible. Your DPA and your customer-by-customer practice often determine the answer. Document the determination in writing.
Step 2: the DPA-versus-statute reconciliation
The DPA usually narrows the statutory timeline. A vendor obligated by the DPA to notify the customer within twenty-four, forty-eight, or seventy-two hours of discovery is contractually on a tighter clock than RCW 19.255.020's "prompt notice." The contractual clock is enforceable independently; the statutory clock is the floor for public-facing notice. The notice content the vendor sends the customer should be specific enough that the customer can comply with the thirty-day consumer-notice and (if applicable) AG-notice windows under RCW 19.255.010. Generic "we identified an incident" notices that strip out the data-category detail and the timeline make the customer's downstream notice impossible to draft on the statutory clock.
Step 3: cost and indemnification
- Forensic investigation cost: typically allocated by DPA, often to the vendor when the breach occurred inside vendor systems. Check the carve-outs from the contractual liability cap; standard caps frequently exclude breach-related forensic, notification, and credit-monitoring costs.
- Consumer notice and credit monitoring: usually a customer obligation, but cost can be reallocated by indemnification.
- AG submission and regulator coordination: usually customer-owned, with vendor cooperation duties.
- Defense and indemnification of third-party claims arising from the breach: read the indemnity carefully. Mutual indemnities are common; mutual indemnities almost never produce the intended outcome in a real incident.
- Cyber insurance: confirm both parties' policy limits, deductibles, and breach-coach panels.
Step 4: coordinated public statements
Inconsistent statements between owner and vendor create Consumer Protection Act exposure under RCW 19.86.020 independent of the underlying breach. Customers, regulators, and journalists will collect both notices. Both notices need to land on a single set of facts: the same data categories, the same time frame, the same containment description, the same affected-resident count. Coordinate the language before either notice goes out. Where the vendor has multiple affected customers, the vendor's customer-by-customer communications should align with the vendor's public posture.
Step 5: regulatory parallel paths
- Health data: MHMDA (Chapter 19.373 RCW) framework runs in parallel for consumer health data; see the data breach vs. MHMDA comparison.
- HIPAA: covered entities and business associates have parallel breach-notification obligations under the HHS Breach Notification Rule, with the larger-breach (500+ individuals) timeline tighter than the WA window.
- Multi-state: most operators serve multiple states. Default to the strictest applicable standard for timing, content, and AG triggers.
- SEC: public companies may have parallel disclosure obligations under the cybersecurity disclosure rules.
Where SaaS breach notices break down in practice
The two most common failures I see in SaaS breach notice drafts are vague data-category descriptions ("personal information may have been accessed" with no list of fields) and vague time frames ("during a recent period"). The first prevents downstream customers from drafting a compliant RCW 19.255.010 consumer notice; the second invites a Consumer Protection Act exposure of its own because the vendor's statement reads as evasive. A useful SaaS breach notice is specific on both axes: which fields were affected for which customers, and the specific date window of the unauthorized acquisition.
What I review when you send a SaaS breach matter
When you send the incident timeline, the master service agreement and DPA with the customer in scope (or with the vendor in your chain), the current draft notice to the customer, the customer's draft consumer notice if available, the forensic summary, and the cyber-insurance summary, I walk Ch. 19.255 against the specific facts and flag the content gaps, the timing posture, the cost-allocation reconciliation, and the coordination risk. The output is a written evaluation, not a sales pitch.
Primary sources
- RCW 19.255.010: consumer notice, AG notice, encryption safe harbor.
- RCW 19.255.020: processor and vendor notice obligations.
- RCW 19.255.040: consumer protection section; AG enforcement and consumer civil action for damages and injunctive relief, with the carve-out from RCW 19.86.090.
- RCW 19.86.020: substantive CPA prohibition (relevant only if a separate Chapter 19.86 claim is independently supported on the facts).
This page is an educational resource. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar.