Under a new Washington law that went into effect June 13, employers must take “all reasonable steps” when disposing of records containing “personal financial and health information” or face civil liability in the event an employee falls victim to identity theft.

RCW 19.215 requires employers to ensure the security and confidentiality of personal information during the process of disposing of that information. “Destroy personal information” means shredding, erasing, or otherwise modifying personal information in records to make the personal information unreadable or undecipherable through any reasonable means.

“Personal financial” and “health information” is information identifiable to an individual and commonly used for financial or health care purposes. This can include: account numbers, access codes or passwords, information gathered for account security purposes, credit card numbers, information held for the purpose of account access or transaction initiation, or information that relates to medical history or status.

If an employer acts negligently in failing to take reasonable steps as described above, the injured party may recover a penalty of $200 or actual damages, whichever is greater, together with costs and attorney’s fees. If the failure to comply was willful, the penalty increases to $600 or three times the actual damages, not to exceed $10,000, plus costs and attorney’s fees. The Washington Attorney General also has authority to seek money damages, injunctive relief, or both.

An employer is not liable under the law it if releases information to the employee or if it transfers the records to another entity for archiving purposes.