On May 12, 2020, Governor Jay Inslee approved several Washington counties to move to Phase 2 of the Four-Phase Plan to reopen the state. With this approval, the Governor has released a set of requirements for different business activities, the implementation of which is required as a condition of being able to open the business to the public.
Among those requirements is the obligation for dine-in restaurants and taverns to create a daily log of all customers and maintain that daily log for 30 days, including the telephone number or email of the patron.
Although such log may prove necessary for health agencies to trace and contact individual who’ve may been in contact with a person that was tested positive for Covid-19, collecting such information may expose restaurant owners to potentially severe personal information data breach liability.
Although the State of Washington has yet to enact its own Data Privacy Law (the current version of the proposed Washington Privacy Act (“WPA”) failed to pass out of both houses of the State Legislature last session), there are a few rules that, among others, impose liability on loss of personal information (Chapter 19.255 RCW). For instance, Washington law requires every person or business that conducts a business in Washington and collects such personal information for its own needs, to provide notification of any breach of the information by an unauthorized person, to the person whose’ information was breached.
If the person or business maintains such personal information on behalf of a third party, it shall inform such third party in case of a breach.
In light of these new obligations to collect data, if you conduct a business, which are now required to collect identifying information from your customers, there are several ways to avoid such liability:
- For a more technology-oriented solution is encryption or other security measure which will prevent the person behind the breach to access the personal information. This solution will not prevent the legal requirements if the breaching person had obtained the key to unlocking the security measure.
- For a more simple solution, it would be advisable to separate the information collect for COVID-19 regulation purposes from all other information you collect about your customers. The specific Washington regulations relate to personal information that contains the individual’s name in combination with an additional data element such as an account or credit/debit card number, date of birth, driver’s license or other identifying number, etc.
Such solution will require full separation of data, which will prevent the breaching person from attaining both data elements.
Even without the new requirements under the current COVID-19 Washington State opening plan, there are various data protection principles and obligations that every business owner, online or offline must comply with.
Be sure to seek the advice of a professional legal advisor in order to ensure that you are in compliance of these rules.
= = = = =
DISCLAIMER: This blog post, as well as any data and information provided are for informational purposes only. It is not legal advice nor should it be relied on as legal advice. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction, or situation. The law is a rapidly changing subject, no representation is made that everything posted on this site will be accurate, up to date, or a complete analysis of legal issues. Please consult with an attorney with the appropriate level of experience if you have any questions. Review or use of the document and any discussions does not create an attorney-client relationship with the author or Possinger Law Group, PLLC. No attorney-client or confidential relationship is or should be believed to be formed by the use of this site. The opinions expressed here represent those of Jeffrey Possinger and not those of Possinger Law Group, PLLC or its clients.