The Public Records Act. The Public Records Act (PRA), enacted in 1972 as part of Initiative 276, requires all state and local government agencies to make all public records available for public inspection and copying unless certain statutory exemptions apply. Over 500 specific references in the PRA or other statutes remove certain information from application of the PRA, provide exceptions to the public disclosure and copying of certain information, or designate certain information as confidential. The provisions requiring public records disclosure must be interpreted liberally, while the exemptions are interpreted narrowly to effectuate the general policy favoring disclosure.
Security Exemptions. Certain statutory provisions exempt records or information relating to physical and cybersecurity from disclosure. Information related to preventing or responding to terrorist attacks, vulnerability assessments and emergency response plans for correctional facilities, and safe school plans is exempt from the PRA's disclosure requirements.
Additionally, information related to public and private infrastructure of computer and telecommunications networks, which include security passwords, access codes, security risk assessments, security test results to the extent that they identify specific system vulnerabilities, and other information the release of which may increase risk to the confidentiality, integrity, or availability of security, information technology infrastructure, is exempt from PRA disclosure requirements.
Continuity of Elections Operations Plans. Continuity of operations plans are developed to assist with continuing essential functions and services in response to emergencies and disasters. The Washington Military Department, through the Adjutant General, maintains a copy of the continuity of elections operations plan for each county that has a plan available.
Election Security and Audits. All voting systems and components must pass an acceptance test administered by the Secretary of State (Secretary) and a vulnerability test. The Secretary must then send a report of the examination of each voting system and component to each county auditor. Three days before each state primary or general election, each vote tallying system must pass a programming test to verify that the system will correctly count votes cast.
Prior to certification of the election, each county auditor conducts an audit of duplicated ballots and an audit using at least one of four specified audit methods:
The Secretary must issue an annual report regarding instances of security breaches of election systems or election data. The report and related information may only be distributed to the Governor, state chief information officer, the Washington State Fusion Center, and the chairs and ranking members of relevant legislative committees.
Election Security Exemptions. The following information is exempt in its entirety from the PRA's disclosure requirements:
Portions of records containing information about election infrastructure, security, or potential threats to election security are exempt from disclosure if the disclosure may increase risk to the integrity of election operations or infrastructure.
Exceptions. Information or records pertaining to election security breaches is not exempt from disclosure requirements, except under existing statutory provisions concerning election security breach identification and reporting. The exemptions created under the act do not prohibit the conduct of an audit under the elections code.
Application to Pending Requests. These exemptions apply to any public records request made prior to the effective date for which disclosure has not yet occurred.
PRO: This takes out a very specific, finite loophole in public disclosure laws. Physical and cyber security assessments are a regular and important part of what elections officials do, and we should not have to disclose vulnerabilities to people who want to sabotage our systems. It is illegal to disclose this information under federal law, but Washington law is more vague. Our county received a request for a Department of Homeland Security cybersecurity assessment and found there was disagreement over how to balance the risks of violating the PRA and compromising election security. This will provide guidance to elections officials and ensure that government networks are not compromised.
Election systems are critical infrastructure. Security tools are expensive and implemented in stages, not immediately. The media asks the public be notified of data breaches; the public should know what happened, that breaches were filled, and that it will not happen again. Language needs to be amended so information is not withheld as it has been with other recent data breaches.
CON: We need to ensure our election systems are foolproof, but open to citizen examination when election results are questioned. This seems like a door being closed.