State Compliance

Washington Cybersecurity Requirements

Understanding Washington's data security and breach notification requirements, including specific obligations for insurance licensees.

Important Disclaimer

The information provided on this page is for general informational purposes only. State cybersecurity regulations are complex and subject to change. We recommend reaching out to our team to confirm you have covered all applicable requirements for Washington operations.

Overview

Washington has several data security and breach rules. For insurance licensees, the Office of the Insurance Commissioner (OIC) enforces specific security breach notification obligations, including under WAC 284-04-625 and related guidance. More broadly, Washington has breach notification laws applicable to many businesses that handle personal information of Washington residents.

Who is Covered (Insurance Focus)?

Insurers, producers, and other licensees regulated by the Washington OIC
These entities must protect "nonpublic personal financial information" and private consumer information and follow specific breach reporting procedures

Key Cybersecurity and Privacy Expectations

Safeguarding Consumer Information

Licensees must adopt administrative, technical, and physical safeguards appropriate to the sensitivity of consumer information they handle, consistent with privacy and security obligations under both state and federal law

Vendor and Third-Party Oversight

As in other states, insurers and licensees are expected to ensure that service providers maintain appropriate safeguards for consumer information

Security Breach Notification – Insurance Entities

If a security breach involves private consumer information (such as Social Security numbers or comparable identifiers) and is reasonably likely to expose customers to a risk of criminal activity, insurers and producers must:

Notify the Insurance Commissioner in writing within two business days after determining that notification to consumers must be sent
Provide details such as:
- Number of consumers affected or potentially affected
- Nature of the information involved
- Steps the licensee is taking to remediate and protect consumers
Licensees must also comply with Washington's general data breach notification statute, which requires notification to affected residents and, for larger incidents, the Attorney General

Need Help with Washington Compliance?

Our team helps insurance entities and businesses understand and implement the controls needed to meet Washington's data security and breach notification requirements.