Washington state Office of Cyber Security office proposed

OLYMPIA – Reeling from a December dats breach that allowed hackers to access the personal information of roughly 1.6 million state residents, lawmakers are working with Gov. Jay Inslee to establish a new office to protect computers.

Sponsored by Sen. Reuven Carlyle, D-Seattle, Senate Bill 5432 would establish a new Office of Cyber Security. Officials from the Office of the Governor said Inslee requested the bill in response to the December data breach tied to resident unemployment claims filed in 2020.

The data was in the possession of the State Auditor’s Office, which was investigating unemployment fraud. Hackers accessed the data through a company called Accellion, a San Francisco-based company contracted for services by the Auditor’s office.

The unemployment claims included filers’ Social Security numbers and banking information.

“The particular data breach that we just experienced... is absolutely categorically unacceptable, and the people of the state need to know how serious we take this,” Carlyle said. “It is imperative that we implement best practices from a cybersecurity point of view.”

That breach followed another cyber attack in which the state Employment Security Department paid out $600 million in unemployment benefits in early 2020, which jeopardized private data of unemployed residents at that time as well.

During a Feb. 9 hearing on the bill, lawmakers and state agencies employees said they observed an uptick in cyber attacks, possibly because so much state business moved online during the coronavirus shutdown orders.

“Cyber attacks are on the rise, both in alarming frequency and level of sophistication,” gubernatorial Policy Adviser Sheri Sawyer said. “We just really have to look to the last 10 months to get a clear view of the landscape here.”

A cyber-security office has existed informally under WaTech, the state’s technology agency, but would become statutory and enjoy broader authority should the bill pass.

The proposal requires state agencies to follow security guidelines set forth by the OCS and report cyber security incidents to the office within 24 hours. The office would then investigate attacks and coordinate related communications.

If approved, by July 2022, the new office would have to develop a catalog of additional digital security services to perform and submit a report to the governor and the Legislature.

The bill is drawing bipartisan support.

“It's a troubling trend. I'm not usually one to grow government, but I think in this instance, it's incumbent upon us to make sure that we can protect this information,” said Sen. Shelly Short, R-Addy, during an executive session on the bill. “I wasn't sure how I was going to vote but, given the comments that have been made and just thinking about what the intent of the bill is, I'm supportive.”