State Senate aims to strengthen cybersecurity after data hack

The Washington state Legislature is considering a bill that would centralize the state’s response to cybersecurity threats and strengthen the government’s ability to protect residents’ online data.

Senate Bill 5432 was introduced by state Sen. Reuven Carlyle, D-Seattle, on Feb. 8. It proposes the establishment of an Office of Cybersecurity within the Consolidated Technology Services Agency, also known as WaTech. WaTech serves as the internet technology provider and procurer for state agencies and manages a large amount of private information for Washington’s 7.6 million residents — information such as names, dates of birth and Social Security numbers. The proposed Office of Cybersecurity would be the state’s point of contact for policy on data privacy and data protection, and would be in charge of investigating all major cybersecurity-related incidents and determining the seriousness of each event.

SB 5432 comes as a response to a massive data breach in December of last year that may have exposed as many as 1.6 million Washingtonians’ personal private data. The hackers targeted Accellion, a California-based software company that contracts with the Washington State Auditor’s Office. After Accellion announced the breach this January, the State Auditor’s Office warned that the affected information included the personal information of everyone who filed for unemployment least year, as well as a smaller number of people associated with the state’s Department of Children, Youth and Families. The State Auditor’s Office has reached out to everyone affected by the breach.

Carlyle was asked about the data breach during a constituent town hall, which was streamed on Facebook live, on Feb. 4. He assured the questioner that he was in the process of putting together legislation to address the issue; SB 5432 came out of that work.

The bill is supported by the State Auditor’s Office, which suffered the data breach, and the policy office of Gov. Jay Inslee, which noted that the centralizing aspect of the bill would make collaboration across all parts of state government quicker and more efficient. 

On Feb. 9, Carlyle argued in favor of his bill during a meeting of the Senate Committee on Environment, Energy and Technology, which he chairs.

“We’re living in a time of historic cybersecurity threats,” he said. “It’s time for us to get more serious about what evidence-based best practices look like.”

He also pointed out that Washington, of all states, should be a leader in cybersecurity, as the state is a global center for high-tech industries and many of the world’s top cybersecurity experts reside here.

On Thursday, the committee met for an executive session. Carlyle again urged his fellow committee members to pass the bill, emphasizing that the December data breach was “absolutely, categorically unacceptable,” and that Washington state’s data security practices fall short of best practices.

“We need to up our game at every level,” he said. 

Sen. Shelly Short, R-Addy, added her voice to Carlyle’s.

“I’m not usually one to grow government, but I think in this instance it’s incumbent upon [us to] make sure we can protect this information,” she said. 

When the committee voted on whether to pass the bill, all the senators voted in favor, with the exception of Sen. Doug Erickson, R-Ferndale.

The bill will proceed to the next step of the legislative process — discussion by the Senate Rules Committee.