SENATE BILL REPORT

2SHB 1469

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As of March 20, 2015

Title: An act relating to the removal of payment credentials and other sensitive data from state data networks.

Brief Description: Addressing removal of payment credentials and other sensitive data from state data networks.

Sponsors: House Committee on Appropriations (originally sponsored by Representatives Hudgins, Magendanz, Stanford, Ormsby and Tarleton).

Brief History: Passed House: 3/11/15, 98-0.

Committee Activity: Financial Institutions & Insurance: 3/25/15.

SENATE COMMITTEE ON FINANCIAL INSTITUTIONS & INSURANCE

Staff: Shani Bauer (786-7468)

Background: The Office of the Chief Information Officer (OCIO) was created in 2011 within the Office of Financial Management (OFM). OCIO is responsible for the preparation and implementation of a strategic information technology (IT) plan and enterprise architecture for the state. OCIO works toward standardization and consolidation of IT infrastructure and establishes IT standards and policies, including state IT security policies. OCIO also prepares a biennial state performance report on IT, evaluates current IT spending and budget requests, and oversees major IT projects.

Summary of Bill: State agencies are prohibited from holding payment credentials on state data systems. Payment credentials are defined to include credit and debit card data and other personally identifiable credentials allowing the state to receive incoming payments. Payment credentials collected on behalf of state agencies must be accepted and stored by a third-party institution that is fully compliant with industry-leading security standards.

A third-party institution is financially liable for damages resulting from a data security breach if it is found not to have been compliant with industry-leading standards at the time of the breach.

Agencies that currently store payment credentials must work with OCIO to eliminate these data from state systems by 2018, but may be given a waiver to this requirement from OCIO in limited circumstances.

OCIO must also develop a policy for minimizing retention of social security numbers and other personally identifiable information by state agencies. The policy must include an examination of the reasons sensitive data is being collected and justifications for ongoing retention.

Appropriation: None.

Fiscal Note: Available.

Committee/Commission/Task Force Created: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.