In wake of major data breach, cyber security office proposed

By Patric Haerle

WNPA News Service

Reeling from a December breach that allowed hackers to access the personal information of roughly 1.6 million Washington residents, state lawmakers are working with Gov. Jay Inslee to establish a new office to protect state data.

Senate Bill 5432, sponsored by Sen. Reuven Carlyle, D-Seattle, establishes a new Office of Cyber Security (OCS).

The bill is set to move on a fast track through the Legislature this session.

Officials from the Office of the Governor said the request was in response to the December breach of data tied to resident unemployment claims filed in 2020. The data was in the possession of the State Auditor’s Office, which was investigating unemployment fraud. Hackers accessed the data through a company called Accellion, a San Francisco-based company tapped for services by the Auditor’s office.

The unemployment claims included filers’ Social Security numbers and banking information.

“The particular data breach that we just experienced … is absolutely categorically unacceptable, and the people of the state need to know how serious we take this,” Carlyle said. “It is imperative that we implement best practices from a cyber security point of view.”

Lawmakers and members of various state agencies at a hearing for the bill Feb. 9 said they observed an uptick in cyber attacks, possibly because so much state business moved online during the COVID-19 pandemic.

“Cyber attacks are on the rise, both in alarming frequency and level of sophistication,” said Sheri Sawyer, a policy advisor to the governor. “We just really have to look to the last 10 months to get a clear view of the landscape here in Washington State.”

OCS has existed informally under WaTech, the state’s technology agency, but would become statutory and enjoy broader authority should the bill pass.

The proposal requires state agencies to follow security guidelines set forth by the OCS and report cyber security incidents to the office within 24 hours. The office would then investigate attacks and coordinate related communications.

Additionally, by July 2022, the new office would have to develop a catalog of additional digital security services to perform and submit a report to the Governor and the Legislature.

The bill is drawing bipartisan support.

“It’s a troubling trend. I’m not usually one to grow government, but I think in this instance, it’s incumbent upon us to make sure that we can protect this information,” said Sen. Shelly Short, R-Addy, during an executive session on the bill.

“I wasn’t sure how I was going to vote but, given the comments that have been made and just thinking about what the intent of the bill is, I’m supportive.”