UW Privacy Office

Breach Notification

Review the Report an Incident webpage to determine where to report an unforeseen event, incident, or potential or confirmed data breach.

Breach Notification Management

The UW Privacy Office provides oversight, management, and direction for investigations of potential or confirmed data breaches involving personal data, other than protected health information or areas under the authority of the Institution Review Board. This includes, but is not limited to:

  • Managing the UW’s response to the incident;
  • Coordinating the activities, as needed, with the UW Division of the Attorney General’s Office, UW Office of the CISO, and other applicable offices at the UW;
  • Assessing the potential harm to individuals, compliance with applicable laws and regulations, and risks to the UW;
  • Determining if communication or notification to individuals is required or desired;
  • Reporting the incident, if/as needed, to external regulators; and
  • Managing the communication plan(s), including communication to the President, the Provost, Board of Regents and University Marketing and Communications.

Each breach notification law is likely to define what is and is not considered “personal data” or “individually identifiable information,” as well as what is and is not considered a data breach.

Requirements regarding who, when, and how to notify individuals about a breach are likely to vary by state and by country, by contract, by data sharing agreement, and/or by circumstances.

In addition, the period of time within which notification must take place varies anywhere from within 72 hours of becoming aware of a breach to within 30 days of the breach or perhaps even longer, depending upon the law/regulation.

WA State breach notification law updated twice in 2020

Under Washington State’s revised breach notification law (effective March 1, 2020, updated June 11, 2020) RCW 42.56.590, “personal information” which may require notification is defined as:

First name or first initial and last name in combination with one of the following:

  • Social security number (SSN) or last 4 digits of SSN
  • Driver’s license number or WA identification number
  • Financial account number (credit, debit, etc.) and security code, access code, or password
  • Full date of birth
  • Private key that is unique to an individual and that is used to authenticate or sign an electronic record
  • Student, military, or passport identification number
  • Health insurance policy number or health insurance identification number
  • Consumer’s medical history, or mental or physical condition, or about a health care professional’s medical diagnosis or treatment
  • Biometric data generated by automatic measurements or other unique biological patterns or characteristics used to identify a specific individual

User name or email address in combination with a password or security questions and answers that would permit access to an online account

Any of the previously mentioned data elements or combination of data elements without first name or first initial and last name if data elements:

  • Are not encrypted, redacted, or made unusable; and
  • Would enable identity theft.