Can I avoid having a data breach response plan in Washington? What are the requirements?

Can I avoid having a data breach response plan in Washington? What are the requirements?

Based on the context documents, it is not possible to avoid having a data breach response plan in Washington. The documents provide requirements for data management plans, data vendors, data use agreements, and personal information notice of security breaches. These requirements emphasize the importance of protecting personal information and ensuring compliance with state and federal laws. Therefore, it is recommended that organizations have a data breach response plan in place to comply with these requirements and protect personal information.

Requirements for Data Management Plans

Requirements for data management plans are outlined in WAAC 182-70-220. The lead organization must require data requestors to submit data management plans with the data request application. Data management plans must comply with the Washington state office of chief security officer standards. Data management plans must provide detailed information including, but not limited to, physical possession and storage of the data files, data sharing, electronic transmission and distribution, data reporting and publication, and completion of project tasks and data destruction.

Requirements for Data Vendors

Requirements for data vendors are outlined in WAAC 82-75-410. The data vendor must enter into an agreement with the lead organization that contains requirements for compliance with all applicable federal and state laws, and the state’s security standards established by the office of the chief information officer. The data vendor must also enter into a legally binding data use and confidentiality agreement with the lead organization. The agreement must include provisions that restrict the access and use of data in the WA-APCD to that necessary for the operation and administration of the database as authorized by chapter 43.371 RCW.

Personal Information Notice of Security Breaches

Personal information notice of security breaches is outlined in WARC 19.255.010. Any person or business that conducts business in this state and that owns or licenses data that includes personal information shall disclose any breach of the security of the system to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm.

In summary, based on the requirements outlined in the context documents, it is recommended that organizations have a data breach response plan in place to comply with state and federal laws and protect personal information.

Jurisdiction

Washington

• Privacy