Legislation passed today by the Senate would create a state Office of Cybersecurity (OCS) within the Office of the Chief Information Officer (OCIO) to set security policies and develop centralized protocols for managing the state’s information technology assets.

Senate Bill 5432 , which passed unanimously, was developed in response to a security breach involving Accellion, a third-party vendor used by the Office of the Washington State Auditor, exposing personal information from around 1.6 million unemployment claims filed in 2020.

“Cybersecurity is not a luxury, it’s central to government’s obligation to manage data wisely and effectively,” said Sen. Reuven Carlyle (D-Seattle), the bill’s sponsor. “We need to follow global best practices in terms of data management, oversight and technology. This bill strengthens our approach and is a vital step forward. We know from the State Auditor data breach that this information is highly sensitive and valuable and the state’s obligation to the public is paramount.”

Requested by Gov. Jay Inslee, the legislation would direct all state entities to adopt programs that incorporate OCS security standards and to report to OCS any major cybersecurity incident within 24 hours. This policy would apply to institutions of higher education, the Legislature, the Judiciary, and state agencies.

“With the ever-increasing threats we are facing, this is very important step to increase our state’s cybersecurity approach,” Inslee said. “I appreciate the leadership of the Senate and look forward to success in the House.”

The legislation would make OCS the state’s point of contact for policy on data privacy and data protection, and charge it with investigating all major cybersecurity incidents and determining the degree of severity of each incident. An independent compliance audit of data security policies at each state entity would be required no less than once every three years.

“With a number of data breaches at state agencies in the last several months sowing doubts in our institutions, this is an important step towards trust and accountability,” said Sen. Nguyen (D-White Center), the lead co-sponsor on the bill. “Our residents deserve confidence that their personal information is secure, and this bill is a crucial step to modernize data protection practices and protect that information.”

The bill would direct the Office of Privacy and Data Protection, a subset of the OCIO, to collaborate with the state Attorney General’s Office in researching best practices for data protection and report the findings to the Legislature by Dec. 1, 2021.