Statewide data breaches remain at record-breaking levels, prompting the state Attorney General to propose legislative reforms to protect data privacy.

In 2022, 4.5 million data breach notices were sent to Washington residents, second only to the 2021 record of 6.3 million.

State law requires organizations that experience a data breach to send notices to all consumers whose data was exposed and report breaches impacting more than 500 Washingtonians.

Attorney General Bob Ferguson released his seventh annual data breach report in December. His office has been tracking the breaches since 2015.

The Attorney General’s Office received 150 data breach notifications in 2022, also the second highest amount after the 2021 record. This is more than double the average number of breaches from the first five years the report was issued, 2016-20.

The number of larger breaches – breaches affecting more than 50,000 Washingtonians – remained in the double digits for the second year in a row.

This is the second consecutive year Washington was hit with a “mega breach” – a breach affecting more than 1 million Washingtonians.

This year, a cybersecurity attack on T-Mobile exposed the data of more than 2 million residents. This is the largest breach to hit the state since the Equifax breach of 2018, which affected 3.2 million residents.

Cyberattacks and ransomware remain at prolific levels, the attorney general said.

Breaches caused by malicious cybercriminals caused 68% of all reported data breaches. Ransomware – a type of cyberattack in which cybercriminals use malicious code to hold data hostage in hopes of receiving a ransom payment from the data holders – was involved in 43 data breaches this year.

The data used in the report is acquired through a high-level review of breach notices submitted to the office.

Ferguson proposes a slate of reforms to protect Washingtonians’ data privacy – particularly sensitive data on consumers’ reproductive health care.

“Washingtonians deserve control over whether entities get to profit off their most sensitive data,” he said in a statement. “This is particularly urgent after the U.S. Supreme Court overturned Roe v. Wade. The Legislature must adopt these reforms to help protect Washingtonians.”

The report makes several other policy recommendations for Washington lawmakers to strengthen privacy and data breach protections:

• Require more transparency from data brokers and data collectors so Washingtonians know more about the consumer information these entities control. The report recommends companies that sell and buy consumer data be required to obtain a license from the state and provide regulators with information about how and why residents’ data is used.
• Pass legislation requiring organizations to recognize and honor opt-out preference signals. This recommendation requires businesses to honor “global opt-out” signals, or a privacy setting option in an internet browser that gives consumers the power to send an automatic signal to every website they visit that they are opting-out of sharing their personal information. This is a powerful tool for consumers to control their data.
• Expand language access to data breach notifications. The report recommends requiring businesses to make data breach notification information accessible to residents who do not speak English as their primary language.
• Expand the definition of “personal information” in state data breach laws that cover private business. The report recommends protecting Individual Tax Identification Numbers – the personal numbers the Internal Revenue Service provides to foreign-born individuals – as well as the combination of full names with the last four digits of Social Security Numbers.

A list of all data breach notices that have been sent to the office since 2015 is publicly available at atg.wa.gov/data-breach-notifications.

Information for businesses on reporting data breaches is available at atg.wa.gov/identity-theft-and-privacy-guide-businesses.