AN ACT Relating to authorizing the state auditor to conduct audits of state government and local agencies' data storage and management practices thereby protecting privacy and securing personal information from computer hacking or misuse of data; amending RCW 43.09.050, 43.09.055, 43.09.185, and 42.30.110; and adding a new section to chapter 43.09 RCW.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:

Sec. 1.  RCW 43.09.050 and 1992 c 118 s 6 are each amended to read as follows:

The auditor shall:

(1) Except as otherwise specifically provided by law, audit the accounts of all collectors of the revenue and other holders of public money required by law to pay the same into the treasury;

(2) In his or her discretion, inspect the books of any person charged with the receipt, safekeeping, and disbursement of public moneys;

(3) Investigate improper governmental activity under chapter 42.40 RCW;

(4) In his or her discretion, conduct an audit of a state or local agency to determine if the agency's data management and storage practices are consistent with adopted standards;

(5) Inform the attorney general in writing of the necessity for the attorney general to direct prosecutions in the name of the state for all official delinquencies in relation to the assessment, collection, and payment of the revenue, against all persons who, by any means, become possessed of public money or property, and fail to pay over or deliver the same, and against all debtors of the state;

(((5))) (6) Give information in writing to the legislature, whenever required, upon any subject relating to the financial affairs of the state, or touching any duties of his or her office;

(((6))) (7) Report to the director of financial management in writing the names of all persons who have received any moneys belonging to the state, and have not accounted therefor;

(((7))) (8) Authenticate with his or her official seal papers issued from his or her office;

(((8))) (9) Make his or her official report annually on or before the 31st of December.

Sec. 2.  RCW 43.09.055 and 1998 c 232 s 3 are each amended to read as follows:

The state auditor may, where there is reasonable cause to believe that a misuse of state moneys has occurred, or misuse or inappropriate management of citizen data, conduct an audit of financial, data management, and legal compliance of any entity that receives public moneys through contract or grant in return for services. This authority includes examinations of ((not-for-profit corporations who)) nonprofit corporations that provide personal services to a state agency or to clients of a state agency. Such a financial audit shall be performed in a manner consistent with this chapter, and may be performed according to an agreed upon procedures engagement as in the existing 1998 standards of the American institute of certified public accountants professional standards section 600.

The state auditor may charge the contracting agency, whether state or local, for the costs of an audit of a ((not-for-profit)) nonprofit corporation that receives public moneys through contract or grant in return for services. Any contracting agency that is responsible to the state auditor for such costs shall use due diligence to recover costs from the audited entity.

Sec. 3.  RCW 43.09.185 and 1995 c 301 s 8 are each amended to read as follows:

(1) State agencies and local governments shall immediately report to the state auditor's office known or suspected loss of public funds or assets or other illegal activity.

NEW SECTION.  Sec. 4.  A new section is added to chapter 43.09 RCW to read as follows:

(1) Audits of a state agency's data management and storage practices shall be conducted pursuant to the standards established by the state auditor.

(2) Local governments must adopt standards for data management and storage practices and establish a schedule to institute those standards, allowing time for the procurement of needed applications and equipment, and staff training. Standards must be consistent with the intended outcomes of those established by the chief information officer under RCW 43.41A.025, or other generally accepted standards for information security. Effective July 1, 2018, the state auditor's office may begin local government audits to assess whether local governments are meeting the standards adopted for data management and storage practices.

(3) The state auditor's office shall consult with the office of the chief information officer and local governments in providing training on information security for state and local governments.

(4) Results of audits under this section shall be provided only to the state agency executive officer or local government executive body.

Sec. 5.  RCW 42.30.110 and 2014 c 174 s 4 are each amended to read as follows:

(1) Nothing contained in this chapter may be construed to prevent a governing body from holding an executive session during a regular or special meeting:

(a)(i) To consider matters affecting national security;

(b) To consider the selection of a site or the acquisition of real estate by lease or purchase when public knowledge regarding such consideration would cause a likelihood of increased price;

(c) To consider the minimum price at which real estate will be offered for sale or lease when public knowledge regarding such consideration would cause a likelihood of decreased price. However, final action selling or leasing public property shall be taken in a meeting open to the public;

(d) To review negotiations on the performance of publicly bid contracts when public knowledge regarding such consideration would cause a likelihood of increased costs;

(e) To consider, in the case of an export trading company, financial and commercial information supplied by private persons to the export trading company;

(f) To receive and evaluate complaints or charges brought against a public officer or employee. However, upon the request of such officer or employee, a public hearing or a meeting open to the public shall be conducted upon such complaint or charge;

(g) To evaluate the qualifications of an applicant for public employment or to review the performance of a public employee. However, subject to RCW 42.30.140(4), discussion by a governing body of salaries, wages, and other conditions of employment to be generally applied within the agency shall occur in a meeting open to the public, and when a governing body elects to take final action hiring, setting the salary of an individual employee or class of employees, or discharging or disciplining an employee, that action shall be taken in a meeting open to the public;

(h) To evaluate the qualifications of a candidate for appointment to elective office. However, any interview of such candidate and final action appointing a candidate to elective office shall be in a meeting open to the public;

(i) To discuss with legal counsel representing the agency matters relating to agency enforcement actions, or to discuss with legal counsel representing the agency litigation or potential litigation to which the agency, the governing body, or a member acting in an official capacity is, or is likely to become, a party, when public knowledge regarding the discussion is likely to result in an adverse legal or financial consequence to the agency.

This subsection (1)(i) does not permit a governing body to hold an executive session solely because an attorney representing the agency is present. For purposes of this subsection (1)(i), "potential litigation" means matters protected by RPC 1.6 or RCW 5.60.060(2)(a) concerning:

(i) Litigation that has been specifically threatened to which the agency, the governing body, or a member acting in an official capacity is, or is likely to become, a party;

(ii) Litigation that the agency reasonably believes may be commenced by or against the agency, the governing body, or a member acting in an official capacity; or

(iii) Litigation or legal risks of a proposed action or current practice that the agency has identified when public discussion of the litigation or legal risks is likely to result in an adverse legal or financial consequence to the agency;

(j) To consider, in the case of the state library commission or its advisory bodies, western library network prices, products, equipment, and services, when such discussion would be likely to adversely affect the network's ability to conduct business in a competitive economic climate. However, final action on these matters shall be taken in a meeting open to the public;

(k) To consider, in the case of the state investment board, financial and commercial information when the information relates to the investment of public trust or retirement funds and when public knowledge regarding the discussion would result in loss to such funds or in private loss to the providers of this information;

(l) To consider proprietary or confidential nonpublished information related to the development, acquisition, or implementation of state purchased health care services as provided in RCW 41.05.026;

(m) To consider in the case of the life sciences discovery fund authority, the substance of grant applications and grant awards when public knowledge regarding the discussion would reasonably be expected to result in private loss to the providers of this information;

(n) To consider in the case of a health sciences and services authority, the substance of grant applications and grant awards when public knowledge regarding the discussion would reasonably be expected to result in private loss to the providers of this information.

(2) Before convening in executive session, the presiding officer of a governing body shall publicly announce the purpose for excluding the public from the meeting place, and the time when the executive session will be concluded. The executive session may be extended to a stated later time by announcement of the presiding officer.

--- END ---