H-2970.3
HOUSE BILL 2249
| | |
State of Washington | 65th Legislature | 2017 3rd Special Session |
By Representatives Smith and Morris
Read first time 07/20/17. Referred to Committee on Technology & Economic Development.
AN ACT Relating to protecting privacy and identity by setting data collection, storage, use, and disposal standards; adding a new section to chapter
28A.320 RCW; adding a new section to chapter
28A.195 RCW; adding a new section to chapter
28B.10 RCW; adding a new section to chapter
28B.85 RCW; adding a new chapter to Title
19 RCW; and creating new sections.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:
NEW SECTION. Sec. 1. The legislature takes notice of a recent theft of sensitive computer data, including reportedly over one million social security numbers. According to reports, the data was held by a research center affiliated with a state university, but stored off-site at a self-storage locker with the most rudimentary of security. Numerous individuals who were notified that their data was among that stolen report deep concern about how the university came to have custody of their social security number, as they have no prior connection with the university. The legislature finds that this incident raises fundamental policy questions about the circumstances in which social security numbers are collected, shared, or sold among or to institutions of higher education as defined in RCW 28B.10.016 and other postsecondary institutions of education, how they are subsequently stored and disposed of, and about whether the value of the research outweighs the risks to the individuals affected and the potential liability of the state of amassing stores of this quantity of sensitive personal information. While these policy issues are being investigated and debated, the legislature finds that it is necessary to implement stop-gap measures to better safeguard our students from the undue risk of their social security number, without their consent, dispersing into a myriad of data sets held by people who are unaccountable to them. NEW SECTION. Sec. 2. (1) Institutions of higher education as defined in RCW 28B.10.016 and other postsecondary institutions of education in Washington, whether public or private, may not share, furnish, sell, or in any way transfer the social security number of any student outside of the institution or school district where the student attends or attended unless positively required by law or court order, except where the student or the parent or guardian of a minor student gives written consent. (2) Institutions of higher education as defined in RCW
28B.10.016 and other postsecondary institutions of education in Washington, whether public or private, must exercise the highest standard of care and diligence to protect any social security numbers in their custody, including encryption when stored or transferred. Among other duties of safekeeping, with regard to the storage of social security numbers in digital form on a back-up hard drive, the storage location of that back-up hard drive must be monitored on a continuous basis. Storage of back-up hard drives containing social security numbers at facilities not under the direct and continuous supervision and control of the institutions of higher education as defined in RCW
28B.10.016 and other postsecondary institutions of education is prohibited.
(3) Institutions of higher education as defined in RCW
28B.10.016 and other postsecondary institutions of education in Washington, whether public or private, must minimize the collection and retention of social security numbers and effectively delete or dispose of the record of those numbers when no longer necessary to accomplish the lawful educational or research purpose for which they were obtained.
(4) Whenever feasible to do so, institutions of higher education as defined in RCW
28B.10.016 and other postsecondary institutions of education, whether public or private, should maintain any data lists that contain social security numbers that come into their custody in such a way as to minimize the risk of unauthorized access including, but not limited to, replacing social security numbers with other identification numbers.
(5) The requirements in this chapter are intended to be in addition to any other requirements in federal or state law.
NEW SECTION. Sec. 3. (1) A legislative task force is created for the 2017-2019 biennium to study how best to prevent the proliferation of social security numbers of Washington's citizens, particularly its youth, under any circumstance not expressly authorized by the affected individual, or, if a minor, that individual's parent or guardian. The task force should consider whether any broader category of sensitive personal information requires similar protection through state law.
(2) The task force must be convened and chaired by the state's chief privacy officer and must consist of at least four legislative members, with one legislator chosen from each of the majority caucuses of the house of representatives and senate. The task force must be staffed by the office of program research and senate committee services. The task force shall prepare a report to the legislature by December 31, 2018.
NEW SECTION. Sec. 4. A new section is added to chapter 28A.320 RCW to read as follows:
School districts must comply with the requirements of section 2 of this act.
NEW SECTION. Sec. 5. A new section is added to chapter 28A.195 RCW to read as follows:
Private schools must comply with the requirements of section 2 of this act.
NEW SECTION. Sec. 6. A new section is added to chapter 28B.10 RCW to read as follows:
Institutions of higher education must comply with the requirements of section 2 of this act.
NEW SECTION. Sec. 7. A new section is added to chapter 28B.85 RCW to read as follows:
All degree-granting institutions must comply with the requirements of section 2 of this act.
NEW SECTION. Sec. 8. Section 2 of this act constitutes a new chapter in Title 19 RCW. --- END ---