HOUSE BILL REPORT
ESHB 1068
As Passed Legislature
Title: An act relating to exempting election security information from public records disclosure.
Brief Description: Exempting election security information from public records disclosure.
Sponsors: House Committee on State Government & Tribal Relations (originally sponsored by Representatives Dolan, Valdez, Kloba, Gregerson and Wylie).
Brief History:
Committee Activity:
State Government & Tribal Relations: 1/14/21, 1/21/21 [DPS].
Floor Activity:
Passed House: 2/24/21, 61-37.
Passed Senate: 3/29/21, 33-16.
Passed Legislature.
Brief Summary of Engrossed Substitute Bill
  • Exempts from disclosure under the Public Records Act (PRA) continuity of operations plans for election operations, security risk assessments, and other election security records.
  • Exempts from disclosure under the PRA portions of records that contain information related to election security, operations, and infrastructure.
  • States that the election security records and information exempt under the act do not include information or records pertaining to security breaches, with exceptions.
  • Clarifies that the election security exemptions under the act do not prohibit an audit which is authorized or required under the elections code from being conducted.
HOUSE COMMITTEE ON STATE GOVERNMENT & TRIBAL RELATIONS
Majority Report: The substitute bill be substituted therefor and the substitute bill do pass.Signed by 4 members:Representatives Valdez, Chair; Lekanoff, Vice Chair; Dolan and Gregerson.
Minority Report: Do not pass.Signed by 2 members:Representatives Walsh, Assistant Ranking Minority Member; Graham.
Minority Report: Without recommendation.Signed by 1 member:Representative Volz, Ranking Minority Member.
Staff: Erik Olson (786-7296) and Desiree Omli (786-7105).
Background:

Public Records Act.
The Public Records Act (PRA) requires all state and local governmental entities to make all public records available to the public, unless a specific exemption applies or disclosure is prohibited.  Public records are records prepared or retained by a governmental entity that relate to the conduct of government or the performance of governmental or proprietary functions.  The PRA must be liberally construed; any exemptions to the disclosure requirement must be interpreted narrowly.  Exemptions are permissive, meaning that an agency, although not required to disclose, has the discretion to provide an exempt record.  With exceptions, the exemptions under the PRA are inapplicable to the extent that information, the disclosure of which would violate personal privacy or vital governmental interests, can be deleted from specific requested records.
 
There are a number of statutory exemptions for records or information contained in records, including those that involve security information.  These exemptions include records or information related to preventing or responding to terrorist attacks, vulnerability assessments and emergency response plans for correctional facilities, and safe school plans.  Additionally, information related to public and private infrastructure of computer and telecommunications networks, which include security passwords, access codes, security risk assessments, security test results to the extent that they identify specific system vulnerabilities, and other information the release of which may increase risk to the confidentiality, integrity, or availability of security, information technology infrastructure, are exempt from disclosure.

 

Continuity of Operations Plans — Elections.
The Washington Military Department, through the Adjutant General, must maintain a copy of the continuity of operations plan for election operations for each county that has a plan available as part of its emergency management duties.  Continuity of operations plans are developed to assist with continuing essential functions and services in response to emergencies and disasters.  Local, state, and federal entities, including the Department of Homeland Security, coordinate to address election infrastructure concerns including the security of voting systems, voter registration databases, and polling places.

 

Election Security.
The Secretary of State (Secretary) tests all voting systems or components of voting systems that are submitted for review.  A report of the Secretary's examination is then sent to each county auditor.  Voting systems and components of a voting system are subject to passing an acceptance test and a vulnerability test.  Three days before each state primary or general election, the Secretary provides for the conduct of programming tests for each vote tallying system.  Prior to certification of the election, the county auditor conducts an audit of duplicated ballots and an audit using at least one of the four specified audit methods.  The Secretary must issue an annual report regarding instances of security breaches of election systems or election data and may only distribute the report and related information to certain individuals.  A security breach for election purposes is a breach where the election system or associated data has been penetrated, accessed, or manipulated by an unauthorized person.

Summary of Engrossed Substitute Bill:

Two election security exemptions to the Public Records Act's disclosure requirements are created.  First, the following records are exempt in their entirety:

  • continuity of operations plans for election operations; and
  • the following records that relate to physical security or cybersecurity of election operations or infrastructure:
    1. security audits;
    2. security risk assessments; and 
    3. security test results.

 
Second, portions of records containing information about the following are exempt if the disclosure may increase risk to the integrity of election operations or infrastructure: 

  • election infrastructure;
  • election security; or
  • potential threats to election security.

 

The election security information and records exempt under the act do not include information or records pertaining to security breaches, except as exempt under statutory provisions concerning election security breach identification and reporting.  The election security exemptions created under the act do not prohibit an audit which is authorized or required under the elections code from being conducted. 
 

These exemptions will apply to any public records request made prior to the effective date for which disclosure has not yet occurred.

Appropriation: None.
Fiscal Note: Not requested.
Effective Date: The bill contains an emergency clause and takes effect immediately.
Staff Summary of Public Testimony:

(In support) This bill closes finite loopholes in election security public disclosure that could put Washington elections at risk.  Election officials voluntarily work with the Department of Homeland Security and the State Auditor's Office to perform physical and cyber security assessments.  Federal protocol clearly outlines that these reports are not disclosable, but state law is vague.  Election security and contingency plans should not be provided to people who want to harm Washington's elections.  House Bill 1068 takes a significant step towards protecting Washington's election infrastructure and security plans at both the state and local levels.  Creating these disclosure exemptions will improve confidence that emergency plans will be effective during emergencies and provides clarity surrounding which reports are exempt in their entirety.  House Bill 1068 does not affect the disclosure of a breach or response to a breach by an auditor or the Secretary of State; the public will still know if there was an attack on Washington's elections and how the government responded. 
 
(Opposed) None.

Persons Testifying: Representative Dolan, prime sponsor; Mary Hall, Washington State Association of County Auditors; Jay Jennings, Office of the Secretary of State; and Rowland Thompson, Allied Daily Newspapers of Washington.
Persons Signed In To Testify But Not Testifying: None.