Support The Wire

Senate passes bill to create state Office of Cybersecurity

The Washington State Senate unanimously passed legislation today requested by Governor Jay Inslee that would create an Office of Cybersecurity (OCS) to establish security standards that state programs would be required to meet.

Housed within the Office of the Chief Information Officer (OCIO), the overarching directive of the new office would be to develop a centralized cybersecurity protocol for managing state information technology assets.

With the ever-increasing threats we are facing, this is very important step to increase our state’s cybersecurity approach,” Inslee said. “I appreciate the leadership of the Senate and look forward to success in the House.”

Under the state’s current administrative structure, the Consolidated Technology Services Agency (WaTech) acts as a centralized provider of information IT services to state agencies. The director of WaTech is the state Chief Information Officer. Within WaTech, the OCIO the OCIO is responsible for setting policies and standards related to cybersecurity.

With a new office create to hone in on those issues, that responsibility would shift to the OCS.

The OCS would continue independent compliance audit requirements that are ongoing. If the audit identifies areas where agencies are failing to comply with OCS standards, agencies would be required to implement a plan to resolve the failure and monitor compliance.

Sponsored by Sen. Reuven Carlyle (D – Seattle) the bill is one response by the Legislature to a January security breach that exposed the personal information from around 1.6 million unemployment claims filed by Washingtonians in 2020. The breach was exposed after Accellion, a third-party software vendor used by the Office of the Washington State Auditor (SAO), told SAO that a December, 2020 breach incident might have allowed unauthorized access to data temporarily stored in Accellion’s servers.

Cybersecurity is not a luxury, it’s central to government’s obligation to manage data wisely and effectively,” said Carlyle. “We need to follow global best practices in terms of data management, oversight and technology. This bill strengthens our approach and is a vital step forward. We know from the State Auditor data breach that this information is highly sensitive and valuable and the state’s obligation to the public is paramount.”

The Accellion incident wasn’t the only breach over the past year that has impacted state agencies. In the spring of 2020, the Employment Security Department (ESD) lost about $600 million in a scam carried out by a Nigerian cybercrime network

Following a major cybersecurity incident, state agencies would be required to report that incident to the OCS within 24 hours after the incident is discovered. The bill would also require that written data sharing agreements be in place prior to the sharing of category 3 or higher data between agencies.

In collaboration with the Office of Privacy and Data Protection and the Office of the Attorney General, the OCS would conduct research on existing best practices for data governance and data protection, including model terms for data sharing contracts, and submit a report to the Legislature by December 1, 2021.

The bill now heads to the House for final passage.

Your support matters.

Public service journalism is important today as ever. If you get something from our coverage, please consider making a donation to support our work. Thanks for reading our stuff.