Washington Legislative and Ohio Regulatory Update

February 13, 2020

The Washington legislature has amended the state’s data breach notification laws, effective March 1, 2020.  The Ohio Department of Commerce announced the annual loan prepayment penalty adjustment, effective January 1, 2020.




 “Personal Information” has been expanded to included:

  • An individual’s first name or first initial and last name in combination with any of the following:
    • Social security number;
    • Driver’s license number or state identification card number;
    • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or any other numbers or information that can be used to access a person’s financial account;
    • Full date of birth;
    • Private key that is unique to an individual and that is used to authenticate or sign an electronic record;
    • Student, military, or passport identification number; or
    • Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual;
  • Username or email address in combination with a password or security questions and answers that would permit access to an online account; and
  • Any of the above data or combination of data without the consumer’s first name or first initial and last name if the data is not encrypted or redacted and the data would enable a person to commit identify theft against a consumer.

If the breach involves a user name or password, notice may be provided electronically or by email.  The notice must inform the consumer to promptly change his or her password and security question or answer or take other appropriate steps to protect the online account.  If the breach involves email login credentials, the person or business may not provide the notification to that email address but most provide notice using another permitted method.


Any person or business that is required to issue a breach notification to more than 500 Washington residents must notify the state attorney general of the breach no more than 30 days after discovering the breach (previously 45 days).  In addition to the number of Washington consumers affected, the notice must include a list of the types of personal information believed to have been the subject of the breach, the date of the breach and date of the discovery of the breach, a summary of steps taken to contain the breach and a single sample copy of the notification.




A penalty may not be charged for the prepayment or refinancing of a residential mortgage obligation of less than $92,564 (previously $91,466) that is made or arranged by a mortgage broker, loan officer, or nonbank mortgage lender, and that is secured by a mortgage on a borrower's real estate that is a first lien on the real estate.



Sign up for news + updates

Expert insights and regulatory updates on RegTech, compliance management, and fair lending.

Diane Jenkins

Director, National Mortgage Compliance Practice Group, AsurityDocs Of Counsel, Sandler Law Group

Recommended Resources

Goals Module Overview

Learn more about the Goals Module and its key monitoring and reporting features.

Reg+Tech Magazine Volume 2 Issue 1

Learn about the changes of state consumer protection and the responsibility of financial services institutions to pursue operational excellence and a culture of compliance.

Reg+Tech Magazine Vol. 1 Issue 2

Regulatory and technology experts discuss innovation, CRA reforms, and how single-close construction loans are reenergizing rural America.

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram