HOUSE BILL REPORT

HB 1479

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Reported by House Committee On:

State Government, Elections & Information Technology

Title: An act relating to encryption of data on state information technology systems.

Brief Description: Concerning encryption of data on state information technology systems.

Sponsors: Representatives Hudgins, Graves, Tarleton and Stanford.

Brief History:

Committee Activity:

State Government, Elections & Information Technology: 2/7/17, 2/8/17 [DP].

Brief Summary of Bill

  • Requires classification and encryption of data associated with state networks.

HOUSE COMMITTEE ON STATE GOVERNMENT, ELECTIONS & INFORMATION TECHNOLOGY

Majority Report: Do pass. Signed by 9 members: Representatives Hudgins, Chair; Dolan, Vice Chair; Koster, Ranking Minority Member; Volz, Assistant Ranking Minority Member; Appleton, Gregerson, Irwin, Kraft and Pellicciotti.

Staff: Megan Palchak (786-7105).

Background:

The Consolidated Technology Services agency (CTS), or WaTech, is required to establish security standards and policies to ensure the confidentiality, availability, and integrity of the information transacted, stored, or processed in the state's information technology systems and infrastructure.  Each state agency must develop an information technology security program.

The Office of Privacy and Data Protection (OPDP) is a point of contact for state agencies on policy matters involving data privacy and protection.  The OPDP conducts annual privacy reviews; trains agencies and employees; articulates privacy principles and best practices; coordinates data protection in cooperation with the CTS; and participates with the Office of the State Chief Information Officer (Office) in the review of major state agency projects involving personally identifiable information.

–––––––––––––––––––––––––––––––––

Summary of Bill:

The CTS must establish a classification schedule for data on, or passing through, state data networks.  State agencies must classify all data stored on state systems or elsewhere. Any agency not on the state governmental network must encrypt data.  All data considered confidential and not stored or transmitted by the state governmental network must be encrypted, or protected, in electronic or optical form, while in transit or storage.  Encryption technology utilized must meet standards, such as those adopted by the National Institute of Standards and Technology. 

Agencies must submit plans for storing or transmitting confidential data no later than September 1, 2018.  Plans must include a total cost estimate and timeline for implementation.  The Office must: (a) review and approve, or work with agencies to modify plans to align with the Office policy; (b) submit a report summarizing the final approved plans to the Legislature by 2019, which must include agency cost estimates and implementation timeframes, and may exclude information exposing potential vulnerabilities; (c) adopt encryption standards for state agency compliance; (d) update and distribute standards to state information technology directors, annually by the end of each fiscal year, which include phase-in of any new technologies; and (e) grant individual waivers.

–––––––––––––––––––––––––––––––––

Appropriation: None.

Fiscal Note: Preliminary fiscal note available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) This bill could be improved with an amendment to Section 2 to add "index."

(Opposed) None.

Persons Testifying: Representative Hudgins, prime sponsor; and Rowland Thompson.

Persons Signed In To Testify But Not Testifying: None.