AG report: Data breaches in Washington state reach all-time high

A new report from the Washington Attorney General’s Office found that there were more data breaches in the state this year than there were residents.

A data breach is defined as the unauthorized acquisition of data that compromises the security or confidentiality of personal information held by a person, business or institution.

The compromised information may include the person’s name, as well as their Social Security number, driver’s license, medical information, and account numbers or credit card numbers.

according to last reportAlmost 11.6 million data breach notifications were issued in a single year. The report covers the period between July 2023 and July 2024.

Before this year, the previous record was 6.5 million reports in 2021.

The 11.6 million figure also represents a 156% increase over the 4.5 million tips sent in 2023.

Data shows that cyberattacks are the most common type of breach, representing 78% of all reported breaches.

Any Washington entity affected by a data breach is required by state law to notify the Attorney General’s Office if the breach affects more than 500 Washingtonians.

AGO received 279 data breach notifications this year; This represents the second highest amount recorded since 2016. The record was 286 data breach notifications in 2021.

217 of the 279 data breaches in 2024 were caused by cyber attacks. The most common form of cyberattack was ransomware, accounting for 52% of the 217 cyberattacks.

This is the fourth year in a row that ransomware attacks have been the most common type of cyberattack, according to the AGO.

“For the first time in a year, the number of notices sent to Washingtonians exceeded the state’s population,” Attorney General Bob Ferguson said in the report released Tuesday. “With nearly a decade of trend data available, it is undeniable that significant changes in policies and industry practices are necessary to reduce the increasing frequency and intensity of data breaches affecting Washingtonians.”

Ferguson’s office is recommending that the state make improvements to its data breach notification law by reducing the deadline for data breach notification to three days and expanding the definition of personal information.

Other recommendations include giving Washington residents more control over how their data is collected and used, demanding transparency from data brokers and data aggregators, and consulting with tribes on how they can best support efforts to combat cyberattacks.

Report looks at Colorado data privacy lawFor examples of how Washingtonians can be given more control over their data, see , which goes into effect in July 2023.

Colorado law includes a requirement for covered businesses to treat consumers’ opt-out signals as a valid request that their personal information not be shared or sold.

AGO claims that if businesses in Washington heed opt-out signals, residents would have more control over their data, potentially reducing the impact of future data breaches.