A state Office of Cybersecurity (OCS) would be established within the Office of the Chief Information Officer (OCIO) to set security policies and develop centralized protocols for managing the state’s information technology assets, under legislation heard Tuesday by the Senate Energy, Environment and Technology Committee.
Senate Bill 5432 , sponsored by Sen. Reuven Carlyle (D-Seattle), was introduced in response to a security breach involving Accellion, a third-party vendor used by the Office of the Washington State Auditor, exposing personal information from around 1.6 million unemployment claims filed in 2020.
“The ever-expanding universe of sensitive data managed by our state agencies demands world-class protections,” Carlyle said. “This data must be guarded actively and rigorously, based on best practices for data handling, and our methods must be regularly reviewed and updated to ensure that our level of security remains state-of-the-art.”
Requested by Gov. Jay Inslee, the legislation would direct all state entities to adopt programs that incorporate OCS security standards and to report to OCS any major cybersecurity incident within 24 hours. This policy would apply to institutions of higher education, the Legislature, the Judiciary, and state agencies.
“Cyberattacks are on the rise, both at an alarming frequency and level of sophistication,” Inslee said. “This bill responds to those threats by creating a strong central authority on cybersecurity and improving our state’s cyber posture. I thank Sens. Carlyle and Nguyen for their leadership on this crucial issue and I am very supportive of this bill.”
The legislation would make OCS the state’s point of contact for policy on data privacy and data protection, and charge it with investigating all major cybersecurity incidents and determining the degree of severity of each incident. An independent compliance audit of data security policies at each state entity would be required no less than once every three years.
“We can’t wait for another breach that jeopardizes the personal information of our residents to act,” said Sen. Nguyen (D-White Center), co-sponsor to the bill. “This is a crucial step towards modernizing data protection practices, and an important one for our state.”
The bill would direct the Office of Privacy and Data Protection, a subset of the OCIO, to collaborate with the state Attorney General’s Office in researching best practices for data protection and report the findings to the Legislature by Dec. 1, 2021.