UW Privacy Office

Breach Notification

Contact the UW Privacy Office

The UW Privacy Office works with UW units to identify relevant data breach notification laws, definitions and requirements for various states/countries/regions.  Contact uwprivacy@uw.edu or 206-616-1238.

Oversight

The UW Privacy Office is responsible for providing oversight and direction for events/incidents involving personal data or individually identifiable information and for making the final determination of notification to individuals and outside parties.

There are multiple international, federal, and state laws that require notification to a regulatory authority, residents, and/or citizens if an adverse event/incident compromises one or more individual’s identifiable information or personal data. The UW Privacy Office helps uphold the UW’s values and provide consistent reporting on privacy activities, risks and policies, while helping units navigate the diverse global landscape.

Common to all breach notifications are the concepts of definitions, notification requirements, and notification content.

Definitions

Each breach notification law is likely to define what is and is not considered “personal data” or “individually identifiable information.”

Under Washington State’s breach notification laws, RCW 19.255.010 /RCW 42.56.590, “personal information” is defined as a person’s first name or initial and last name in combination with any one or more of the following elements:

  • Social Security number
  • Driver’s license or Washington ID card numbers
  • Full account number (credit or debit) or any required security code that permits access to an individual’s financial account.

Under the European Union’s General Data Protection Regulation (EU GDPR), “personal data” is defined much more broadly, as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, by reference to:

  • Any identifier, such as name, ID, location data, online identifier; or
  • Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. 

Subject-specific data protection laws and regulations (e.g. HIPAA) often include their own unique data definitions, further adding complexity to the evaluation of when breach notification must occur.

Data Breach Notification Requirements

Requirements regarding who, when, and how soon to notify about a breach are likely to vary by state and by country, by contract, by data sharing agreement, and/or by circumstances.

Among those individuals who may need to be notified in the event of a breach: State Attorney General(s), regulatory authorities by agency or by country, contractual partners, and/or individuals whose information may have been compromised.

Conditions under which individuals must be notified may also vary widely. There may also be situations where the UW will decide notification is appropriate due to the sensitive nature of the personal data, even if no law mandates notification.

Finally, the period of time within which notification must take place varies anywhere from within 72 hours of becoming aware of a breach to within 45 days of the breach or perhaps even longer, depending upon the law/regulation.

Data Breach Notification Content

In all cases, each notification should be written in plain language and include:

  • What happened
  • The data elements involved
  • A description of the likely consequences of the personal data breach
  • How to request additional information (explicit names and contact details)
  • (If within Washington State) Credit reporting agencies’ contact information
  • (If notifying people residing in the EU) A description of the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate its possible adverse effects.

In situations where different privacy laws may be applicable to the same data set simultaneously, the UW Privacy Office will support navigation among data breach notification laws and UW privacy principles.