SENATE BILL REPORT

ESHB 1421

As of February 20, 2018

Title: An act relating to the removal of payment credentials and other sensitive data from state data networks.

Brief Description: Concerning the removal of payment credentials and other sensitive data from state data networks.

Sponsors: House Committee on Appropriations (originally sponsored by Representatives Smith, Hudgins and Stanford).

Brief History: Passed House: 3/06/17, 98-0; 2/07/18, 98-0.

Committee Activity: State Government, Tribal Relations & Elections: 2/19/18.

Staff: Samuel Brown (786-7470)

Background: In 2016, the Office of the Attorney General indicated in its Data Breach Report that financial account information was the most frequently compromised type of personal information. Data breaches reported to the Attorney General's Office, such as malicious cybersecurity attacks, unintentional breaches, and unauthorized access, compromised the personal information of over 450,000 Washington residents in the year preceding the report. The most common cause of a data breach is from a third party gaining access to a computerized network through malicious means.

The Consolidated Technology Services Agency, commonly known as WaTech, establishes security standards and policies to ensure the confidentiality and integrity of information transacted, stored, or processed in the state's information technology systems and infrastructure. Each state agency must also develop an information technology security program.

The Office of Privacy and Data Protection (OPDP), housed within WaTech, is a point of contact for state agencies on policy matters involving data privacy and protection. The OPDP conducts annual privacy reviews, trains agencies and employees, articulates privacy principles and best practices, coordinates data protection, and participates with the chief information officer in the review of major state agency projects involving personally identifiable information.

Summary of Bill: State agencies are prohibited from storing payment credentials on state data systems by July 1, 2020. Waivers may be granted if transitioning payment credentials off state data systems presents special difficulty, or where holding payment credentials is required for day-to-day agency business of the agency or by law. Payment credential data must be accepted and stored by a third-party institution that is fully compliant with industry standards. Third-party institutions storing payment credential data cannot transfer, sell, trade, monetize, or otherwise share the data unless required by law. Institutions not in compliance with industry standards are fully financially liable for damages from any security breaches.

Payment credentials include the following:

• the full magnetic stripe or primary account number of a credit or debit card combined with cardholder name, expiration date, or service code; or

• personally identifiable credentials allowing the state to receive incoming payments for services, excluding account information required for making outgoing payments, distributions, and transfers.

WaTech must develop a policy, to be followed by all agencies, to minimize agency retention of personally identifiable information.

Appropriation: None.

Fiscal Note: Available.

Creates Committee/Commission/Task Force that includes Legislative members: No.

Effective Date: Ninety days after adjournment of session in which bill is passed.

Staff Summary of Public Testimony: PRO: This will ensure that payment credentials are stored by a third party that is compliant with best industry standards. We need to do everything we can to be trustworthy with Washingtonians' payment credentials.

Persons Testifying: PRO: Representative Norma Smith, Prime Sponsor.

Persons Signed In To Testify But Not Testifying: No one.