The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
(1) "Breach of the security of the system" means unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the system when the personal information is not used or subject to further unauthorized disclosure.
(2)(a) "Personal information" means:
(i) An individual's first name or first initial and last name in combination with any one or more of the following data elements:
(A) Social security number;
(B) Driver's license number or Washington identification card number;
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, or any other numbers or information that can be used to access a person's financial account;
(D) Full date of birth;
(E) Private key that is unique to an individual and that is used to authenticate or sign an electronic record;
(F) Student, military, or passport identification number;
(G) Health insurance policy number or health insurance identification number;
(H) Any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer; or
(I) Biometric data generated by automatic measurements of an individual's biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual;
(ii) User name or email address in combination with a password or security questions and answers that would permit access to an online account; and
(iii) Any of the data elements or any combination of the data elements described in (a)(i) of this subsection without the consumer's first name or first initial and last name if:
(A) Encryption, redaction, or other methods have not rendered the data element or combination of data elements unusable; and
(B) The data element or combination of data elements would enable a person to commit identity theft against a consumer.
(b) Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(3) "Secured" means encrypted in a manner that meets or exceeds the national institute of standards and technology standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.
