Washington state businesses face cybersecurity requirements from multiple directions: state law under RCW 19.255 (the data breach notification statute), federal requirements for regulated industries, and increasingly, cyber insurance requirements that effectively mandate a security baseline before coverage is issued.
This checklist covers what every Washington business should have in place — not just to be compliant, but to be protected.
The legal baseline: Washington state requirements
Washington's data breach notification law (RCW 19.255.010) requires businesses to notify affected individuals and the state attorney general within 30 days of discovering a breach involving personal information. "Personal information" includes name plus Social Security number, financial account numbers, login credentials, biometric data, or health insurance information.
The notification requirement is triggered by discovery of the breach — not by confirming the full scope. The 30-day clock starts when you become aware. Most businesses aren't ready for that timeline.
The security controls checklist
Identity and access (implement first)
- Multi-factor authentication (MFA) on all accounts — Microsoft 365, email, banking, cloud services
- Unique, strong passwords for every account (managed via a password manager like Keeper Security)
- Privileged access review — does every employee have only the access they actually need?
- Offboarding process — departing employees' accounts disabled on their last day, same day
Email and endpoint (highest attack surface)
- Advanced email filtering that catches phishing, spoofing, and malware before the inbox
- Managed detection and response (MDR) on every endpoint — laptops, desktops, servers
- Automatic OS and software updates enabled and enforced
- Encrypted hard drives on all business laptops
Data protection
- 3-2-1 backups for all critical business data — three copies, two media types, one offsite
- Backup restore tested in the last 90 days (not just verified as running)
- Remote wipe capability on all mobile devices that access business data
People (the most targeted layer)
- Phishing simulation and awareness training for all staff — at minimum quarterly
- Documented incident response process: who to call, in what order, when something happens
- Written acceptable use policy covering AI tools, personal device use, and remote work
Network
- Business and guest Wi-Fi networks separated
- Firewall with current firmware — reviewed and updated at least annually
- VPN for remote employees accessing internal resources
The cyber insurance angle
In 2026, cyber insurers are underwriting much more carefully than they were two years ago. Most policies now require documented evidence of: MFA on email and remote access, tested backups, endpoint detection, and employee security training. Without these, you either can't get coverage or pay substantially more for it.
Getting your security baseline right isn't just risk management — it's a prerequisite for affordable cyber insurance.
Where Washington businesses are most exposed
In our experience working with businesses across the Pacific Northwest, the most common gaps are:
- MFA not enforced on email — Microsoft 365 accounts without MFA are compromised every day
- Backups never tested — the backup runs but nobody has ever proved a restore works
- No incident response plan — when something happens, people guess what to do
- Offboarding not immediate — former employees retain access for days or weeks
These aren't exotic problems. They're the ones we find most often when we review a new client's environment.
Get a real assessment
A checklist is a starting point, not a substitute for a real security review. Schedule a free strategy session and we'll walk through your actual environment — not just a checklist — and tell you exactly where you stand.
