On May 12, 2020, Governor Jay Inslee approved several Washington counties to move to Phase 2 of the Four-Phase Plan to reopen the state. With this approval, the Governor has released a set of requirements for different business activities, the implementation of which is required as a condition of being able to open business to the public.
Among those requirements is the obligation for dine-in restaurants and taverns to create a daily log of all customers. That daily log must also be maintained for 30 days, including the telephone number or email of the patron.
Although such a log may prove necessary for health agencies to trace and contact individuals who could have been exposed to COVID-19, collecting such information may expose restaurant owners to potentially severe personal information data breach liability.
Although the State of Washington has yet to enact its own Data Privacy Law (the current version of the proposed Washington Privacy Act (“WPA”) failed to pass out of both houses of the State Legislature last session), there are a few rules that, among others, impose liability on loss of personal information (Chapter 19.255 RCW). For instance, Washington law requires every person or entity that conducts business in Washington to provide notification of any breaches of collected information to individuals whose information was involved in the breach. Additionally, if the person or business retains such personal information on behalf of a third party, it shall inform such third party in the case of a breach.
In light of these new obligations to collect data, if you conduct a business, you are now required to collect identifying information from your customers – thus making you subject to these data privacy rules. There are, however, several ways to protect this private information from potential breaches. Here are a few suggestions:
- For a more technology-oriented solution, many businesses use encryption or other electronic security measures. This option uses digital firewalls to block potential intruders from accessing sensitive information. It is important to note that, while generally secure, this solution will not prevent the company from being legally liable, if the breaching person obtains the key to unlocking the security measure.
- For a more simple solution, businesses can keep information collected for COVID-19 regulation purposes separate from all other information collected about customers. Washington regulations relating to personal information apply only when the individual’s name is collected in combination with an additional data element, such as an account or credit/debit card number, date of birth, driver’s license or other identifying number. To be useful, this solution will require full separation of data, which will prevent potential data breachers from obtaining both data elements.
Even without the new requirements set under Washington State’s COVID-19 opening plan, there are various data protection principles and obligations that every business owner, online or offline, must comply with. Be sure to seek the advice of a professional legal advisor in order to ensure that you are in compliance with these rules.
= = = = =
DISCLAIMER: This blog post, as well as any data and information provided are for informational purposes only. It is not legal advice nor should it be relied on as legal advice. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction, or situation. The law is a rapidly changing subject, no representation is made that everything posted on this site will be accurate, up to date, or a complete analysis of legal issues. Please consult with an attorney with the appropriate level of experience if you have any questions. Review or use of the document and any discussions does not create an attorney-client relationship with the author or Possinger Law Group, PLLC. No attorney-client or confidential relationship is or should be believed to be formed by the use of this site. The opinions expressed here represent those of Jeffrey Possinger and not those of Possinger Law Group, PLLC or its clients.
Practice area:No Found