OLYMPIA — Attorney General Bob Ferguson released his seventh annual data breach report today. The report shows that data breaches remain at record-breaking severity. This year, 4.5 million data breach notices were sent to Washingtonians, second only to the 2021 record of 6.3 million since the Attorney General’s Office began tracking this number.
This year’s report is a special data-privacy edition, focusing on protecting consumer data even before breaches occur. Corporations collect and sell massive amounts of sensitive personal data. The more that this data is shared and collected, the more vulnerable consumers are to data breaches and cybercrime. In this year’s special-edition report, Ferguson is proposing a slate of reforms to protect Washingtonians’ data privacy — particularly sensitive data on consumers’ reproductive health care.
“Washingtonians deserve control over whether entities get to profit off their most sensitive data,” Ferguson said. “This is particularly urgent after the U.S. Supreme Court overturned Roe v Wade. The Legislature must adopt these reforms to help protect Washingtonians.”
The Attorney General’s Office receives no funding to publish this report. The Legislature does not direct the office to publish the report. The Attorney General provides the report as a public service to provide Washingtonians with critical information to help them safeguard their data.
The report includes recommendations to policymakers and best practices for the public to protect their data and minimize risks.
The public can access the Attorney General’s database of breaches here.
Another record-high year
Data breach activity remains at historic levels after last year’s torrent of breaches.
State law requires organizations that experience a data breach to send notices to all consumers whose data was exposed, and report breaches impacting more than 500 Washingtonians to the Attorney General’s Office. Breached businesses and agencies sent 4.5 million of these notices to Washingtonians in 2022. This year’s number of data breach notices is the second highest after last year’s record of 6.3 million notices.
The Attorney General’s Office received 150 data breach notifications this year, also the second highest amount after the 2021 record. This is more than double the average number of breaches from the first five years the report was issued, 2016 to 2020.
The number of larger breaches — breaches affecting more than 50,000 Washingtonians — remained in the double digits for the second year in a row.
This is the second consecutive year Washington was hit with a “mega breach” — a breach affecting more than one million Washingtonians. This year, a cybersecurity attack on T-Mobile exposed the data of more than 2 million Washingtonians. This is the largest breach to hit the state since the Equifax breach of 2018, which affected 3.2 million Washingtonians.
Cyberattacks and ransomware remain at prolific levels. Breaches caused by malicious cybercriminals caused 68 percent of all reported data breaches. Ransomware — a type of cyberattack in which cybercriminals use malicious code to hold data hostage in hopes of receiving a ransom payment from the data holders — was involved in 43 data breaches this year.
The data used in the report is acquired through a high-level review of breach notices submitted to the office. A list of all data breach notices that have been sent to the office since 2015 is publicly available at https://www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at www.atg.wa.gov/identity-theft-and-privacy-guide-businesses.
A roadmap for strengthening data privacy in Washington
The report makes several policy recommendations for Washington lawmakers to strengthen privacy and data breach protections.
- Pass legislation to protect consumers’ private health data. In October, Ferguson announced that he is partnering with Rep. Vandana Slatter, D-Bellevue, and Sen. Manka Dhingra, D-Redmond, to propose Attorney General Request legislation in the 2023 legislative session to increase data privacy protections in the wake of the Dobbs Supreme Court decision and empower Washingtonians with more control over their health data. Under current law, Washingtonians’ health data is left vulnerable to be used by advertisers or shared with anti-choice groups.
- Require more transparency from data brokers and data collectors so Washingtonians know more about the consumer information these entities control. The report recommends companies that sell and buy consumer data be required to obtain a license from the state and provide regulators with information about how and why Washingtonians’ data is used.
- Pass legislation requiring organizations to recognize and honor opt-out preference signals. This recommendation requires businesses to honor “global opt-out” signals, or a privacy setting option in an internet browser that gives consumers the power to send an automatic signal to every website they visit that they are opting-out of sharing their personal information. This is a powerful tool for consumers to control their data.
- Expand language access to data breach notifications. The report recommends requiring businesses to make data breach notification information accessible to Washingtonians who do not speak English as their primary language.
- Expand the definition of “personal information” in Washington data breach laws that cover private business. The report recommends protecting Individual Tax Identification Numbers — the personal numbers the Internal Revenue Service provides to foreign-born individuals — as well as the combination of full names with the last four digits of Social Security Numbers.