SENATE BILL REPORT

2SHB 1469

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

As Reported by Senate Committee On:

Financial Institutions & Insurance, March 25, 2015

Title: An act relating to the removal of payment credentials and other sensitive data from state data networks.

Brief Description: Addressing removal of payment credentials and other sensitive data from state data networks.

Sponsors: House Committee on Appropriations (originally sponsored by Representatives Hudgins, Magendanz, Stanford, Ormsby and Tarleton).

Brief History: Passed House: 3/11/15, 98-0.

Committee Activity: Financial Institutions & Insurance: 3/25/15 [DP-WM].

SENATE COMMITTEE ON FINANCIAL INSTITUTIONS & INSURANCE

Majority Report: Do pass and be referred to Committee on Ways & Means.

Signed by Senators Benton, Chair; Angel, Vice Chair; Mullet, Ranking Minority Member; Darneille, Hobbs, Litzow, Pedersen and Roach.

Staff: Shani Bauer (786-7468)

Background: The Office of the Chief Information Officer (OCIO) was created in 2011 within the Office of Financial Management (OFM). OCIO is responsible for the preparation and implementation of a strategic information technology (IT) plan and enterprise architecture for the state. OCIO works toward standardization and consolidation of IT infrastructure and establishes IT standards and policies, including state IT security policies. OCIO also prepares a biennial state performance report on IT, evaluates current IT spending and budget requests, and oversees major IT projects.

Summary of Bill: State agencies are prohibited from holding payment credentials on state data systems. Payment credentials are defined to include credit and debit card data and other personally identifiable credentials allowing the state to receive incoming payments. Payment credentials collected on behalf of state agencies must be accepted and stored by a third-party institution that is fully compliant with industry-leading security standards.

A third-party institution is financially liable for damages resulting from a data security breach if it is found not to have been compliant with industry-leading standards at the time of the breach.

Agencies that currently store payment credentials must work with OCIO to eliminate these data from state systems by 2018, but may be given a waiver to this requirement from OCIO in limited circumstances.

OCIO must also develop a policy for minimizing retention of social security numbers and other personally identifiable information by state agencies. The policy must include an examination of the reasons sensitive data is being collected and justifications for ongoing retention.

Appropriation: None.

Fiscal Note: Available.

Committee/Commission/Task Force Created: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony: PRO: The state's information technology budget is around $2 billion. Cyber security issues are a significant area of concern. A package of bills was introduced this year to deal with those concerns. This is one of three strategies to address security, which is to lower the value of the data in state systems. Payment credentials are better stored with third-party institutions that follow security practices for doing that. A waiver process is included so that those agencies that have old legacy systems that are in the process of being replaced won't have to remove the data until the systems are taken out of commission.

Persons Testifying: PRO: Representative Hudgins, prime sponsor.

Persons Signed in to Testify But Not Testifying: No one.