Chapter 19.215 RCW

DISPOSAL OF PERSONAL INFORMATION

Sections

19.215.005Finding.
19.215.010Definitions.
19.215.020Destruction of informationLiabilityExceptionCivil action.
19.215.030Compliance with federal regulations.


Finding.

The legislature finds that the careless disposal of personal information by commercial, governmental, or other entities poses a significant threat of identity theft, thus risking a person's privacy, financial security, and other interests. The alarming increase in identity theft crimes and other problems associated with the improper disposal of personal information can be traced, in part, to disposal policies and methods that make it easy for unscrupulous persons to obtain and use that information to the detriment of the public. Accordingly, the legislature declares that all organizations and individuals have a continuing obligation to ensure the security and confidentiality of personal information during the process of disposing of that information.



Definitions.

The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
(1) "Entity" includes a sole proprietor, partnership, corporation, limited liability company, trust, association, financial institution, governmental entity, other than the federal government, and any other individual or group, engaged in a trade, occupation, enterprise, governmental function, or similar activity in this state, however organized and whether organized to operate at a profit.
(2) "Destroy personal information" means shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means.
(3) "Individual" means a natural person, except that if the individual is under a legal disability, "individual" includes a parent or duly appointed legal representative.
(4) "Personal financial" and "health information" mean information that is identifiable to an individual and that is commonly used for financial or health care purposes, including account numbers, access codes or passwords, information gathered for account security purposes, credit card numbers, information held for the purpose of account access or transaction initiation, or information that relates to medical history or status.
(5) "Personal identification number issued by a government entity" means a tax identification number, social security number, driver's license or permit number, state identification card number issued by the department of licensing, or any other number or code issued by a government entity for the purpose of personal identification that is protected and is not available to the public under any circumstances.
(6) "Record" includes any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted. "Record" does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.



Destruction of informationLiabilityExceptionCivil action.

(1) An entity must take all reasonable steps to destroy, or arrange for the destruction of, personal financial and health information and personal identification numbers issued by government entities in an individual's records within its custody or control when the entity is disposing of records that it will no longer retain.
(2) An entity is not liable under this section for records it has relinquished to the custody and control of the individual to whom the records pertain.
(3) This subsection [section] does not apply to the disposal of records by a transfer of the records, not otherwise prohibited by law, to another entity, including a transfer to archive or otherwise preserve public records as required by law.
(4) An individual injured by the failure of an entity to comply with subsection (1) of this section may bring a civil action in a court of competent jurisdiction. The court may:
(a) If the failure to comply is due to negligence, award a penalty of two hundred dollars or actual damages, whichever is greater, and costs and reasonable attorneys' fees; and
(b) If the failure to comply is willful, award a penalty of six hundred dollars or damages equal to three times actual damages, whichever is greater, and costs and reasonable attorneys' fees. However, treble damages may not exceed ten thousand dollars.
(5) An individual having reason to believe that he or she may be injured by an act or failure to act that does not comply with subsection (1) of this section may apply to a court of competent jurisdiction to enjoin the act or failure to act. The court may grant an injunction with terms and conditions as the court may deem equitable.
(6) The attorney general may bring a civil action in the name of the state for damages, injunctive relief, or both, against an entity that fails to comply with subsection (1) of this section. The court may award damages that are the same as those awarded to individual plaintiffs under subsection (4) of this section.
(7) The rights and remedies provided under this section are in addition to any other rights or remedies provided by law.



Compliance with federal regulations.

Any bank, financial institution, health care organization, or other entity that is subject to the federal regulations under the interagency guidelines establishing standards for safeguarding customer information (12 C.F.R. 208 Appendix D-2, 12 C.F.R. 364 Appendix B, 12 C.F.R. 30 Appendix B, 12 C.F.R. 570 Appendix B); the guidelines for safeguarding member information (12 C.F.R. 748 Appendix A); and the standards for privacy of individually identifiable health information (45 C.F.R. 160 and 164), and which is in compliance with these federal guidelines, is in compliance with the requirements of this chapter.