Local

Washington state Senate unanimously passes bill introduced in response to data breach

By Sara Gentzler

Updated March 10, 2021 8:38 PM

The Washington state Senate unanimously passed a bill on Wednesday that would create an office to consolidate and coordinate the state’s cybersecurity efforts. The bill was proposed in response to a breach announced earlier this month that exposed the personal data of over 1 million residents.

That breach involved Accellion, a third-party service provider the State Auditor’s Office used to transmit files. Data believed to be affected includes personal information of residents who filed for unemployment last year, including people whose identities were used to file fraudulent claims.

Requested by Gov. Jay Inslee, the bill that passed off the floor Wednesday would establish the Office of Cybersecurity within the existing Office of the Chief Information Officer, which sets information technology policy and direction for the state.

“It is true that, in the last number of years our country, and of course our state has been the victim of a number of cybersecurity incidents,” prime sponsor Sen. Reuven Carlyle said on the floor Wednesday.

“And it is absolutely true that we need to up our game. It is important to recognize that we have a highly decentralized system of not just cybersecurity, but IT as a function of government in our state. And that is simply not the place for that level of decentralization.”

This bill, he said, attempts to consolidate much of the state’s cybersecurity strategy.

The proposal has evolved since it was introduced, with changes in part clarifying and adding to the office’s duties. Reached by phone Wednesday, Carlyle, a Seattle Democrat, said the goal is to strengthen the role, accountability, and authority of the office. He expects that work to continue as the session moves forward.

In its current form, the Office of Cybersecurity created by the bill would in part establish security standards and policies and develop a centralized cybersecurity protocol.

The bill directs state entities such as state institutions of higher education, the Legislature, and agencies, to adopt information technology security programs that incorporate the office’s security standards and policies. An independent compliance audit of information technology security program and controls at each entity would be required at least once every three years.

Agencies would be required to report to the office any major cybersecurity incident within a day of when it’s discovered, and the office would investigate.

The bill also directs the office to collaborate with the state Office of Privacy and Data Protection and the Office of the Attorney General to research best practices for data governance and protection and submit a report to the Legislature by Dec. 1 of this year.

The Senate passed the bill quickly Wednesday, with no lawmakers voicing opposition or voting against it. A floor amendment offered by Sen. Lynda Wilson, R-Vancouver, added a section requiring a third-party audit of the state’s cybersecurity.

Republican Sen. Ann Rivers of Port Orchard and Senate Minority Leader John Braun of Centralia had previously voiced resistance to what they called a “whole new bureaucracy” as a solution. Asked what changed ahead of this week’s vote, Sen. Braun said lawmakers were skeptical but did their jobs, thought about it and “voted accordingly.”

“For my part... I think as the depth and breadth of all the breaches come into fuller and brighter view, it became apparent that we needed to do something,” Sen. Rivers said. “I’m always going to stand against a massive expansion of government, but I think in this case I began to feel comfortable that it was going to be fairly lean and tight and very focused.”

With the Senate vote, the bill now moves to the House for further consideration.

Another bill, introduced by Republicans in the House, would require the state Employment Security Department and Department of Labor examine their practices of disclosing full Social Security numbers in communications with third parties. If that disclosure isn’t necessary by law, the departments would be required to put in place procedures to replace their use of the full numbers.

The House passed that bill off the floor in another unanimous vote Wednesday.

The 105-day session is scheduled to adjourn April 25.

This story has been updated.

This story was originally published February 25, 2021 at 5:45 AM.

Related Stories from Tacoma News Tribune

Data breach at Fred Meyer, QFC and other pharmacies might have exposed personal information

Auditor’s Office contractor was using 20-year-old software when security breach occurred

Get unlimited digital access

#ReadLocal