HOUSE BILL REPORT

ESHB 1421

As Passed House:

February 7, 2018

Title: An act relating to the removal of payment credentials and other sensitive data from state data networks.

Brief Description: Concerning the removal of payment credentials and other sensitive data from state data networks.

Sponsors: House Committee on Appropriations (originally sponsored by Representatives Smith, Hudgins and Stanford).

Brief History:

Committee Activity:

State Government, Elections & Information Technology: 2/1/17, 2/3/17 [DP];

Appropriations: 2/16/17, 2/22/17 [DPS].

Floor Activity:

Passed House: 3/6/17, 98-0.

Floor Activity:

Passed House: 2/7/18, 98-0.

Majority Report: Do pass. Signed by 9 members: Representatives Hudgins, Chair; Dolan, Vice Chair; Koster, Ranking Minority Member; Volz, Assistant Ranking Minority Member; Appleton, Gregerson, Irwin, Kraft and Pellicciotti.

Staff: Megan Palchak (786-7105).

Majority Report: The substitute bill be substituted therefor and the substitute bill do pass. Signed by 33 members: Representatives Ormsby, Chair; Robinson, Vice Chair; Chandler, Ranking Minority Member; MacEwen, Assistant Ranking Minority Member; Stokesbary, Assistant Ranking Minority Member; Bergquist, Buys, Caldier, Cody, Condotta, Fitzgibbon, Haler, Hansen, Harris, Hudgins, Jinkins, Kagi, Lytton, Manweller, Nealey, Pettigrew, Pollet, Sawyer, Schmick, Senn, Springer, Stanford, Sullivan, Taylor, Tharinger, Vick, Volz and Wilcox.

Staff: James Mackison (786-7104).

Background:

The Office of the Chief Information Officer (ICIO) is housed within the Consolidated Technology Services Agency. The OCIO prepares and leads the implementation of a strategic direction and enterprise structure for information technology (IT) for state government. The OCIO also establishes standards and policies for the consistent and efficient operation of IT services throughout state government. In addition, the OCIO is required to establish security standards and policies to ensure the confidentiality and integrity of information transacted, stored, or processed in the state's information technology systems and infrastructure. Each state agency must adhere to the OCIO's security standards and policies.

Certain entities that fail to take reasonable care to guard against unauthorized access to account information that is in possession or under the control of certain entities, and the failure is found to be the proximate cause of a breach, the qualified entity is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards that are incurred by the financial institution to mitigate damages to the card holder residing in the state. The prevailing party in a legal action brought for such breach is entitled to recover reasonable attorney fees and costs incurred in connections with the legal action.

Summary of Engrossed Substitute Bill:

State agencies are prohibited from storing payment credentials on state data systems. Payment credentials include: (1) the full magnetic stripe or primary account number of a credit or debit card combined with cardholder name, expiration date or service code, or (2) personally identifiable credentials allowing the state to receive incoming payments for services, excluding account information required for making outgoing payments, distributions, and transfers. The OCIO must develop policy to minimize retention of personally identifiable information including Social Security numbers.

Payment credentials must be eliminated from state systems by July 1, 2020. Waivers may be granted in instances where transitioning payment credentials off state data systems presents special difficulty, or where holding payment credentials is required for day-to-day agency business of the agency or by law.

Payment credentials collected on behalf of a state agency to process payments for the agency must be accepted and stored by a third-party institution that is fully compliant with industry leading security standards. The institution is liable for damages resulting from security breaches that result in the unauthorized acquisition of payment credentials collected and processed on behalf of agencies, if the institution is found to have been out of compliance with standards at the time of the breach. Damages may include costs of notification, credit monitoring, identity theft prevention measures, and other remedies under data breach laws.

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.

Staff Summary of Public Testimony (State Government, Elections & Information Technology):

(In support) None.

(Opposed) None.

(Other) State agencies are currently encouraged to refrain from maintaining payment information unless required by day-to-day operations.  Standards require classification of payment data.  Agencies are supported through a design process to identify third parties to hold that data.  This bill provides an opportunity for agencies to describe their business needs.

Staff Summary of Public Testimony (Appropriations):

(In support) None.

(Opposed) None.

Persons Testifying (State Government, Elections & Information Technology): Agnes Kirk, WaTech.

Persons Testifying (Appropriations): None.

Persons Signed In To Testify But Not Testifying (State Government, Elections & Information Technology): None.

Persons Signed In To Testify But Not Testifying (Appropriations): None.