Can I skip having an information security program in place in Washington? What are the requirements?

Information Security Program Requirements in Washington

In Washington, all businesses that collect and store personal information are required to have an information security program in place ^[5]. The program must be designed to protect the confidentiality, integrity, and availability of personal information ^[5].

The Washington State Attorney General’s Office provides a comprehensive guide for businesses on how to develop an information security program ^[5]. The guide includes the following key elements that must be included in the program:

• Designation of an employee or employees to coordinate the program
• Identification of the personal information that the business collects and stores
• Assessment of the risks to the personal information
• Development of policies and procedures to manage the risks
• Implementation of safeguards to protect the personal information
• Regular monitoring and testing of the program
• Adjustment of the program in response to changes in technology or the business’s operations

Therefore, it is not possible to skip having an information security program in place in Washington if you collect and store personal information. It is a legal requirement to have an information security program in place to protect personal information.

Source(s):

• [5] Protecting Personal Information: A Guide for Business | Federal …

Jurisdiction

Washington

• Privacy