After data breach, bill introduced to create ‘state office of cybersecurity’ in Washington

In the wake of a data breach that exposed the personal data of over 1 million residents, Washington state legislators will consider a bill to create a state office that coordinates cybersecurity efforts.

“There is a profoundly serious need to have an enterprise-wide cybersecurity strategy that is unmatched in its quality,” Sen. Reuven Carlyle, the bill’s sponsor, told McClatchy in a phone interview. “We do not yet have that in this state.”

The State Auditor’s Office announced Monday that Accellion, a third-party service provider it used to transmit files, had experienced a security breach in December, allowing unauthorized access to records temporarily stored in its system.

Data believed to be affected includes personal information of well over 1 million Washington residents who filed for unemployment between Jan. 1 and Dec. 10, 2020, including people whose identities were used to file fraudulent claims early in 2020.

The Auditor’s Office is working with state cybersecurity officials, law enforcement, and legal counsel, according to its webpage dedicated to the breach, and an investigation is ongoing. It’s also “evaluating other tools and protocols for sharing data files in the future.”

Carlyle, a Seattle Democrat, called the response “all hands on deck” led by the Auditor’s Office. Gov. Jay Inslee requested the legislation that Carlyle and Sen. Joe Nguyen, D-White Center, have now introduced in response to the recent breach.

“We’ll dive into it and give it our most serious efforts,” Carlyle said.

The bill already has a public hearing scheduled for Tuesday morning in the Senate Environment, Energy & Technology Committee, which Carlyle chairs.

It would create a “state office of cybersecurity” within the Office of the Chief Information Officer (OCIO) and define the new office’s responsibilities. The OCIO sets information technology policy and direction for the state.

Under the bill, the primary duties of the new cybersecurity office would include establishing “security standards and policies to ensure the confidentiality, availability, and integrity of the information transacted, stored, or processed in the state’s information technology systems and infrastructure.”

Other duties would include developing “a centralized cybersecurity protocol for protecting and managing state information technology assets,” providing guidance to agencies on practices and standards, and being a resource for local governments.

The bill also sets a requirement for state agencies to report cybersecurity incidents within a day of discovery. The chief information security officer, the director of the new office, would serve as the state’s point of contact for all such incidents and would investigate and coordinate response.

An Office of Privacy and Data Protection already exists within WaTech, which provides IT support and security for public agencies. The State Chief Privacy Officer who oversees that office, and who Carlyle called a “staff of one,” has mostly been focused on data management practices. The new office would be more comprehensive, including best practices for protecting data from a technical standpoint, he said.

A central problem, Carlyle said, is that the state has a “decentralized approach” to many of its IT systems and doesn’t always employ evidence-based best practices. That’s not to suggest that applies to the Auditor’s Office in this case, he said, but that it’s difficult for every elected official to independently follow global best practices when there isn’t a broader strategy.

Still, he called the recent incident “absolutely unacceptable at every level.”

The response it requires includes parallel efforts, he said: to deconstruct and understand exactly what happened and to figure out how to protect the public and their data now. The legislature comes in at the structural, policy level.

At a media availability hosted by Republicans this week, Rep. Matt Boehnke of Kennewick and Sen. Ann Rivers of Port Orchard, who both serve on the OCIO Technology Services Board, also shared ideas for how cybersecurity might be improved.

Rivers suggested looking at what resources the state OCIO needs, to be sure they can provide needed protections to citizens. She also mentioned that agencies are working with old systems — the software the State Auditor’s Office was using was 20 years old.

The Auditor’s Office had been transitioning to a newer Accellion software at the time of the breach. According to a statement from the company, it had been encouraging customers to migrate for three years.

“We have to make a call about are we gonna be penny-wise and pound-foolish in terms of where we allocate resources to make sure that we protect our citizens’ data as if it were being kept in Fort Knox rather than in Mayberry R.F.D.,” Rivers said.

Boehnke is the director and lead professor of the cybersecurity division at Columbia Basin College and owns a cybersecurity consulting business. He emphasized the need to look at what personal data should be stored where and for how long.

“For example, one of the operations we’re looking at is, ‘Why do we still continue to have full Social Security numbers ... when we can identify those by other means?’” he said.

In a phone interview, he also mentioned the potential formation of a task force so the public can weigh in. He signed onto a bill sponsored by Rep. Gina Mosbrucker, R-Goldendale, specifically requiring the Employment Security Department and Labor & Industries to evaluate practices in which they disclose full social security numbers.

That bill is also scheduled for a public hearing Tuesday, in the House Committee on Labor & Workplace Standards.

This story was originally published February 6, 2021 at 5:45 AM with the headline "After data breach, bill introduced to create ‘state office of cybersecurity’ in Washington."