HOUSE BILL REPORT

HB 1421

As Reported by House Committee On:

State Government, Elections & Information Technology

Title: An act relating to the removal of payment credentials and other sensitive data from state data networks.

Brief Description: Concerning the removal of payment credentials and other sensitive data from state data networks.

Sponsors: Representatives Smith, Hudgins and Stanford.

Brief History:

Committee Activity:

State Government, Elections & Information Technology: 2/1/17, 2/3/17 [DP].

Majority Report: Do pass. Signed by 9 members: Representatives Hudgins, Chair; Dolan, Vice Chair; Koster, Ranking Minority Member; Volz, Assistant Ranking Minority Member; Appleton, Gregerson, Irwin, Kraft and Pellicciotti.

Staff: Megan Palchak (786-7105).

Background:

In 2016 the Office of the Attorney General indicated in its Data Breach Report that financial account information was the most frequently compromised type of information. At the time of report, data breaches, such as malicious cybersecurity attacks, unintentional breaches, and unauthorized access, had impacted fewer than 10,000 consumers in Washington State. Cybersecurity attacks cause most breaches.

The Consolidated Technology Services Agency (CTSA), or WaTech, is required to establish security standards and policies to ensure the confidentiality and integrity of information transacted, stored, or processed in the state's information technology systems and infrastructure. Each state agency must develop an information technology security program.

The Office of Privacy and Data Protection (OPDP) is a point of contact for state agencies on policy matters involving data privacy and protection. The OPDP conducts annual privacy reviews, trains agencies and employees, articulates privacy principles and best practices, coordinates data protection in cooperation with the CTSA, and participates with the Office of the State Chief Information Officer in the review of major state agency projects involving personally identifiable information.

–––––––––––––––––––––––––––––––––

Summary of Bill:

State agencies are prohibited from storing payment credentials on state data systems. Payment credentials include: (1) the full magnetic stripe or primary account number of a credit or debit card combined with cardholder name, expiration date or service code, or (2) personally identifiable credentials allowing the state to receive incoming payments for services, excluding account information required for making outgoing payments, distributions, and transfers. The CTSA must develop policy to minimize retention of personally identifiable information.

Payment data must be eliminated from state systems by July 1, 2020. Waivers may be granted in instances where transitioning payment credentials off state data systems presents special difficulty, or where holding payment credentials is required for day-to-day agency business of the agency or by law.

Payment credential data must be accepted and stored by a third-party institution that is fully compliant with industry standards, which must be liable for security breaches if out of compliance with standards.

–––––––––––––––––––––––––––––––––

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony:

(In support) None.

(Opposed) None.

(Other) State agencies are currently encouraged to refrain from maintaining payment information unless required by day-to-day operations.  Standards require classification of payment data.  Agencies are supported through a design process to identify third parties to hold that data.  This bill provides an opportunity for agencies to describe their business needs.

Persons Testifying: Agnes Kirk, WaTech.

Persons Signed In To Testify But Not Testifying: None.