SENATE BILL REPORT
SHB 1421
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
As of March 15, 2017
Title: An act relating to the removal of payment credentials and other sensitive data from state data networks.
Brief Description: Concerning the removal of payment credentials and other sensitive data from state data networks.
Sponsors: House Committee on Appropriations (originally sponsored by Representatives Smith, Hudgins and Stanford).
Brief History: Passed House: 3/06/17, 98-0.
Committee Activity: State Government: 3/15/17.
Brief Summary of Bill |
|
SENATE COMMITTEE ON STATE GOVERNMENT |
Staff: Samuel Brown (786-7470)
Background: In 2016, the Office of the Attorney General indicated in its Data Breach Report that financial account information was the most frequently compromised type of personal information. Data breaches reported to the Attorney General's Office, such as malicious cybersecurity attacks, unintentional breaches, and unauthorized access, compromised the personal information of over 450,000 Washington residents in the year preceding the report. The most common cause of a data breach is from a third party gaining access to a computerized network through malicious means.
The Consolidated Technology Services Agency, commonly known as WaTech, establishes security standards and policies to ensure the confidentiality and integrity of information transacted, stored, or processed in the state's information technology systems and infrastructure. Each state agency must also develop an information technology security program.
The Office of Privacy and Data Protection (OPDP), housed within WaTech, is a point of contact for state agencies on policy matters involving data privacy and protection. The OPDP conducts annual privacy reviews, trains agencies and employees, articulates privacy principles and best practices, coordinates data protection, and participates with the Chief Information Officer in the review of major state agency projects involving personally identifiable information.
Summary of Bill: State agencies are prohibited from storing payment credentials on state data systems by July 1, 2020. Waivers may be granted if transitioning payment credentials off state data systems presents special difficulty, or where holding payment credentials is required for day-to-day agency business of the agency or by law. Payment credential data must be accepted and stored by a third-party institution that is fully compliant with industry standards. Institutions not in compliance with industry standards are fully financially liable for damages from any security breaches.
Payment credentials include the following:
the full magnetic stripe or primary account number of a credit or debit card combined with cardholder name, expiration date, or service code; or
personally identifiable credentials allowing the state to receive incoming payments for services, excluding account information required for making outgoing payments, distributions, and transfers.
WaTech must develop a policy, to be followed by all agencies, to minimize agency retention of personally identifiable information.
Appropriation: None.
Fiscal Note: Available.
Creates Committee/Commission/Task Force that includes Legislative members: No.
Effective Date: Ninety days after adjournment of session in which bill is passed.
Staff Summary of Public Testimony: PRO: This responds to concerns about protecting data privacy and payment credentials raised by the uses of emerging technology. It seeks to ensure that the minimum amount of private information is stored for agencies to complete their mandates. The less we store, the less vulnerable we are.
Persons Testifying: PRO: Representative Norma Smith, Prime Sponsor.
Persons Signed In To Testify But Not Testifying: No one.