Washington tool

Washington Data Breach Notification Timeline Checker

A Washington operator that owns or licenses computerized personal information of Washington residents has thirty days from discovery of a breach to notify affected consumers, with a parallel notice to the Washington Attorney General when a single breach affects more than five hundred Washington residents. defines the personal-information categories and the encryption safe harbor; is the consumer protection section, giving the Attorney General CPA-style enforcement authority and letting an injured consumer bring a civil action for damages and injunctive relief (the statute itself says an action to enforce Chapter 19.255 may not be brought under RCW 19.86.090, so do not assume the full Chapter 19.86 private remedy stack auto-attaches; a separate Chapter 19.86 CPA claim may still be available on independently satisfied CPA elements). This tool triages a current incident posture so the response can be calibrated to the right deadline and the right notice content. It is a triage tool, not legal advice.

Answer the nine questions below. The tool issue-spots the consumer notice deadline, the AG notice trigger, the encryption safe harbor, and the MHMDA escalation flag.

1Date incident discovered

When did you first discover the incident?

Per , the 30-day consumer-notice clock runs from discovery, not from the date the breach actually occurred.

2Date investigation confirmed personal information affected

When did your investigation confirm that personal information was actually acquired (or that you cannot rule out acquisition)?

The statute allows time reasonably necessary to determine scope. Document when scope was determined; the 30-day clock does not reset, but the determination date drives notice-content adequacy.

3WA residents affected

How many Washington residents are or are reasonably believed to be affected?

The Attorney General notice obligation applies when a single breach affects more than five hundred Washington residents ().

4Type of data involved

Which best describes the data category involved?

defines personal information as name plus a listed identifier (SSN, driver's license, account+code, date of birth, biometric, login credentials, others).

5Was the data encrypted?

Was the affected personal information encrypted at the time of the incident?

Encryption is part one of the safe harbor. Encrypted data acquired without the corresponding key triggers no notice obligation. Data acquired with no encryption is squarely in scope.

6Was the encryption key compromised?

If the data was encrypted, were the decryption keys, passwords, or other unlocking means also acquired?

Part two of the safe harbor. Encryption only protects when the key was not also acquired. If the attacker took both, the safe harbor does not apply.

7Law enforcement contacted

Have you contacted law enforcement, and have they asked you to delay notice?

The statute allows delay for the legitimate needs of a criminal investigation. Document the request in writing.

8Has consumer notice been sent?

Have you sent notice to affected Washington residents yet?

9Has AG notice been sent?

Have you sent the Washington Attorney General notice (if applicable)?

AG notice is required only when more than 500 WA residents are affected in a single breach. If under 500, this is N/A.

How the score is calculated

The score sums per-issue weights. The highest scores indicate the most urgent posture.

Related resources

Background guide: Washington Data Breach Notification: An Operator's Guide. For health, wellness, biometric, mental-health, reproductive, or gender-affirming data, see the comparison of Ch. 19.255 RCW and MHMDA. For demand-letter strategy on a breach matter, see the Washington data breach demand letter resource.