Public Records Act.
The Public Records Act (PRA) requires all state and local governmental entities to make public records available to the public, unless a specific exemption applies or disclosure is prohibited.  Public records are records prepared or retained by a governmental entity that relate to the conduct of government or the performance of governmental or proprietary functions.  The PRA must be liberally construed; any exemptions to the disclosure requirement must be interpreted narrowly.  Exemptions are permissive, meaning that an agency, although not required to disclose, has the discretion to provide an exempt record.  With exceptions, the exemptions under the PRA are inapplicable to the extent that information, the disclosure of which would violate personal privacy or vital governmental interests, can be deleted from specific requested records.
 
There are a number of statutory exemptions for security information.  These exemptions include records or information related to preventing or responding to terrorist attacks, vulnerability assessments and emergency response plans for correctional facilities, and safe school plans.  Additionally, information related to public and private infrastructure of computer and telecommunications networks, which include security passwords, access codes, security risk assessments, security test results to the extent that they identify specific system vulnerabilities, and other information the release of which may increase risk to the confidentiality, integrity, or availability of security, information technology infrastructure, are exempt from disclosure.
 
Continuity of Operations Plans — Elections.
Continuity of operations plans are developed to assist with continuing essential functions and services in response to emergencies and disasters.  The Washington Military Department, through the Adjutant General, must maintain a copy of the continuity of operations plan for election operations for each county that has a plan available as part of its emergency management duties.   Local, state, and federal entities, including the Department of Homeland Security, coordinate to address election infrastructure concerns including the security of voting systems, voter registration databases, and polling places.
 
Election Security.
The Secretary of State (Secretary) tests all voting systems or components of voting systems that are submitted for review.  A report of the Secretary's examination is then sent to each county auditor.  Voting systems and their components are subject to passing an acceptance test and a vulnerability test prior to  use.  Three days before each state primary or general election, the Secretary provides for the conduct of programming tests for each vote tallying system.  Prior to certification of the election, the county auditor conducts an audit of duplicated ballots and an audit using at least one of the four statutorily specified audit methods.  The Secretary must issue an annual report regarding instances of security breaches of election systems or election data and may only distribute the report and related information to certain individuals.  A security breach for election purposes occurs when the election system or associated data has been penetrated, accessed, or manipulated by an unauthorized person.

Two election security exemptions to the Public Records Act's disclosure requirements are created.  First, the following records are exempt in their entirety:

• continuity of operations plans for election operations; and
• the following records that relate to physical security or cybersecurity of election operations or infrastructure:
  1. security audits;
  2. security risk assessments; and
  3. security test results.

 
Second, portions of records containing information about the following are exempt if the disclosure may increase risk to the integrity of election operations or infrastructure: 

• election infrastructure;
• election security; or
• potential threats to election security.

 
The exemptions for election security information and records do not include information or records pertaining to security breaches, except when such information and records are exempt under other specified statutory provisions.  The exemptions also do not prohibit an audit which is authorized or required under the elections code from being conducted. 
 
The exemptions apply to any public records request made prior to the effective date for which disclosure has not yet occurred.