SENATE BILL REPORT
ESHB 1421
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent. |
As Reported by Senate Committee On:
State Government, Tribal Relations & Elections, February 23, 2018
Title: An act relating to the removal of payment credentials and other sensitive data from state data networks.
Brief Description: Concerning the removal of payment credentials and other sensitive data from state data networks.
Sponsors: House Committee on Appropriations (originally sponsored by Representatives Smith, Hudgins and Stanford).
Brief History: Passed House: 3/06/17, 98-0; 2/07/18, 98-0.
Committee Activity: State Government, Tribal Relations & Elections: 2/19/18, 2/21/18, 2/23/18 [DPA-WM].
Brief Summary of Amended Bill |
|
SENATE COMMITTEE ON STATE GOVERNMENT, TRIBAL RELATIONS & ELECTIONS |
Majority Report: Do pass as amended and be referred to Committee on Ways & Means.
Signed by Senators Hunt, Chair; Kuderer, Vice Chair; Miloscia, Ranking Member; Saldaña and Zeiger.
Staff: Samuel Brown (786-7470)
Background: In 2016, the Office of the Attorney General indicated in its Data Breach Report that financial account information was the most frequently compromised type of personal information. Data breaches reported to the Attorney General's Office, such as malicious cybersecurity attacks, unintentional breaches, and unauthorized access, compromised the personal information of over 450,000 Washington residents in the year preceding the report. The most common cause of a data breach is from a third party gaining access to a computerized network through malicious means.
The Consolidated Technology Services Agency, commonly known as WaTech, establishes security standards and policies to ensure the confidentiality and integrity of information transacted, stored, or processed in the state's information technology systems and infrastructure. Each state agency must also develop an information technology security program.
The Office of Privacy and Data Protection (OPDP), housed within WaTech, is a point of contact for state agencies on policy matters involving data privacy and protection. The OPDP conducts annual privacy reviews, trains agencies and employees, articulates privacy principles and best practices, coordinates data protection, and participates with the chief information officer in the review of major state agency projects involving personally identifiable information.
Summary of Amended Bill: State agencies are prohibited from storing payment credentials on state data systems by July 1, 2020. Waivers may be granted if transitioning payment credentials off state data systems presents special difficulty, or where holding payment credentials is required for day-to-day agency business of the agency or by law. Third-party institutions storing payment credential data cannot transfer, sell, trade, monetize, or otherwise share the data unless required by law or to process payments. Institutions not in compliance with industry standards are fully financially liable for damages from any security breaches.
Payment credentials include the following:
the full magnetic stripe or primary account number of a credit or debit card combined with cardholder name, expiration date, or service code; or
personally identifiable credentials allowing the state to receive incoming payments for services, excluding account information required for making outgoing payments, distributions, and transfers.
WaTech must develop a policy, to be followed by all agencies, to minimize agency retention of personally identifiable information.
EFFECT OF STATE GOVERNMENT, TRIBAL RELATIONS & ELECTIONS COMMITTEE AMENDMENT(S): Third-party institutions may transfer or share payment credentials for the sole purpose of processing payments on behalf of the agency or agency customer.
Appropriation: None.
Fiscal Note: Available.
Creates Committee/Commission/Task Force that includes Legislative members: No.
Effective Date: Ninety days after adjournment of session in which bill is passed.
Staff Summary of Public Testimony on Engrossed Substitute House Bill: The committee recommended a different version of the bill than what was heard. PRO: This will ensure that payment credentials are stored by a third party that is compliant with best industry standards. We need to do everything we can to be trustworthy with Washingtonians' payment credentials.
Persons Testifying: PRO: Representative Norma Smith, Prime Sponsor.
Persons Signed In To Testify But Not Testifying: No one.