The Washington Attorney General’s office released its fifth annual Data Breach Report yesterday, showing that the number of Washingtonians affected by breaches nearly doubled in the last year and ransomware attacks tripled.
The report is the first since new Washington state legislation took effect in March strengthening the state’s data breach notification law. The new laws require agencies and companies to provide earlier and more detailed notices to consumers. The report also comes in the midst of a global pandemic where more people are storing their personal information online.
The total number of Washingtonians affected by a data breach increased significantly, from 351,000 in 2019 to 651,000 in 2020. Overall, there were fewer breaches reported to the Attorney General’s Office in 2020, decreasing from 60 reported breaches last year to 51 this year.
The state saw a tripling of the amount of ransomware incidents in the last year from two to six. During these attacks, a person inserts malicious code into a network then encrypts its data, which renders it inaccessible to the breached organization. Hackers then seek payment to release the data back to the organization. Ransomware attacks impacted nearly 106,000 Washingtonians—about one out of every six impacted by a breach in the last year.
Malicious cyberattacks continued to be the leading cause of data breaches, accounting for approximately 65 percent of all breaches reported in 2020. Breaches of businesses affected on average 16,759 Washingtonians per breach, which rose from 2019 when breaches of businesses affected on average 3,831 Washingtonians.
“Data breaches remain a serious threat to our privacy and that danger is increasing during a pandemic where everyone is spending more time and money online,” Attorney General Bob Ferguson said. “If companies fail to do their part protecting Washingtonians’ data, my office will take action.”
Updating Washington’s notification laws
Responding to trends identified in previous data breach reports, Ferguson proposed legislation in 2019 to further protect Washingtonians. House Bill 1071 came into effect in March. The new law reduced the deadline to notify consumers and the Attorney General’s Office of a data breach from 45 to 30 days and expanded the definition of “personal information” to include:
- Account usernames and email addresses in combination with a password
- Date of birth
- Passport numbers
- Health insurance policy numbers
- Biometric data, such as fingerprints and DNA profiles
- Medical history
- Keys for electronic signatures
- Student ID numbers
- Military ID numbers
These legislative changes altered how the 2020 report came together after the new laws started. For instance, a June 10 notice from Zoosk and a July 10 notice from Fetch Rewards Inc. are included because these breaches involved elements like stolen emails and passwords and dates of birth, which became part of the definition of “personal information” in March. These two breaches affected nearly 250,000 Washingtonians who would have been left out of the report in previous years.
These examples clearly illustrate why the update to Washington’s Data Breach Notification law in the 2019 session was so critical. The updated law will also allow the Attorney General’s Office to give a more complete picture of the breadth of data breaches going forward, as future reports will capture more data than before.
Long term impacts of data breaches
The report is also meant to remind Washingtonians that cybercriminals have previously stolen a significant amount of their personal information and it remains readily available on the digital black market. The more information cybercriminals steal, the easier it will be for criminals to gain access to and combine different elements of a consumer’s personal information to commit acts of fraud or additional data breaches in the future.
This ocean of stolen personal data, according to the Washington’s Employment Security Department (ESD), helped cause the widespread unemployment fraud that occurred in May. This resulted in the theft of hundreds of millions of dollars from ESD during the COVID-19 pandemic. This added undue stress and made it more difficult for thousands of Washingtonians whose identities were stolen outside ESD’s system to collect unemployment benefits when residents needed them most—in the midst of a global pandemic.
During the COVID-19 pandemic, Washingtonians are increasingly relying on digital and online services that collect user data to conduct business, go to school, find entertainment and communicate with friends and family. This increase in online activity may create more opportunities for cybercriminals to steal personal information and underlines the importance of Washington’s data breach notification laws.
The 2020 report makes several recommendations to policymakers on enhancing protection of personal data, including:
- Expanding the definition of personal information to include Individual Tax Identification Numbers as well as the last four digits of a Social Security number.
- Requiring people or companies to maintain a risk-management information security program.
- Holding data only as long as is reasonably required.
Push to better identify and limit data breaches
In 2015, the Legislature passed legislation to update Washington’s data breach notification statute, closing a loophole that allowed most Washington state businesses to avoid the notice requirements. Washington’s law now requires businesses and governments to notify the Attorney General’s Office after suffering breaches affecting the personal information of at least 500 Washingtonians. Previously, Washington law did not provide any deadline for notifying affected Washingtonians, and did not require notification to the Attorney General’s Office at all. The 2015 legislation created a 45-day deadline, which was reduced to 30 days in the 2019 legislation.
Ferguson led a coalition of 30 state attorneys general investigating a data breach by Premera Blue Cross, the largest health insurance company in the Pacific Northwest. As a result of that investigation, the office announced in July 2019 that Premera would pay $10 million for failing to secure sensitive consumer data and for misleading consumers before and after a data breach affecting millions across the country.
Also in July 2019, the office announced that Equifax would pay more than half a billion dollars because of a 2017 data breach affecting nearly 150 million people nationwide.
Since 2014, the Attorney General’s office has required several corporations with large data breaches that impacted Washingtonians’ privacy—Premera, Equifax, Uber and Target Corporation—to enter into legally enforceable agreements to improve their data security.
The data used in the report is acquired through a high-level review of breach notices submitted to our office. A list of all data breach notices that have been sent to our office since 2015 is publicly available at: www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.