Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party cloud storage services that collect personal information in Washington? What are the requirements?

Based on the documents provided, if you are using third-party cloud storage services that collect personal information in Washington, you must ensure that the data is encrypted both in motion and at rest using the latest industry standard methods and tools for encryption, consistent with the standards of the office of the chief information officer [1.1]. Additionally, if you are a data vendor, you must enter into a legally binding data use and confidentiality agreement with the lead organization, and annually engage the services of an independent third-party security auditor to conduct a security audit to verify that the infrastructure, environment, and operations of the database are in compliance with federal and state laws, Washington state information technology security standards, and the contract with the lead organization [1.1].

Furthermore, any person or business that conducts business in Washington and owns or licenses data that includes personal information must disclose any breach of the security of the system to any resident of Washington whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person [4.1].

If encryption is employed on public records, the agency must maintain the means to decrypt the record for the life of the record as designated by the approved required minimum retention period for that record [3.1].

In order to ensure compliance with privacy and security requirements and procedures, the office or the office of chief information officer or both may request from the lead organization any or all of the following: (1) Audit logs pertaining to accessing the data; (2) Completion of a security design review as required by Washington state IT security standards; (3) Documentation of compliance with OCIO security policy (OCIO policy 141.10 Securing information technology assets standards); (4) All data use agreements [1.2].

Personal information in any files maintained for students in public schools, patients or clients of public institutions or public health agencies, or welfare recipients is exempt from public inspection and copying under this chapter [2.1].

In summary, if you are using third-party cloud storage services that collect personal information in Washington, you must ensure that personal information is encrypted both in motion and at rest, and any breach of the security of the system must be disclosed to affected residents of Washington. Additionally, the office or the office of chief information officer or both may request audit logs, security design review, documentation of compliance with OCIO security policy, and all data use agreements to ensure compliance with privacy and security requirements and procedures. However, personal information in any files maintained for students in public schools, patients or clients of public institutions or public health agencies, or welfare recipients is exempt from public inspection and copying under this chapter.

Source(s):
Jurisdiction

Washington