Reacting to the unemployment-claims data breach that exposed the personal information of more than 1 million Washingtonians, lawmakers are looking to beef up the state’s cybersecurity practices.
At the request of Gov. Jay Inslee, they’ve introduced legislation giving the state Office of Cybersecurity (OCS) more authority to direct state agencies on “best practices” for safely storing sensitive data.
That includes agencies run by independently elected officials like State Auditor Pat McCarthy, whose office last week disclosed the massive breach involving the Social Security numbers, bank account numbers and other personal information of an estimated 1.4 million people.
Senate Bill 5432, quickly drafted after the breach, was supported by McCarthy’s office and by the state’s chief information officer Jim Weaver at a virtual public hearing before a state Senate committee Tuesday.
The bill would formalize some of what the cybersecurity office already says it does, while also giving it more power — essentially trying to centralize what some say has been a scattershot, agency-by-agency approach to protecting data.
“Washington state has a ferocious addiction to decentralization,” said the bill’s chief sponsor, state Sen. Reuven Carlyle, D-Seattle, in an interview.
“There is a time and place for decentralization, but IT security is just not that place,” added Carlyle, who chairs the state Senate Energy, Environment & Technology Committee, which held the hearing on the bill Tuesday.
Sherry Sawyer, a policy adviser to Inslee, testified at the hearing that the events of the past year have shown “cyberthreats are painfully real and cyberattacks are on the rise.” She said while agencies have tried to be diligent, “we have some work to do.”
The compromised data had been collected as part of the auditor’s investigations into how the state Employment Security Department (ESD) lost $600 million to fraudulent unemployment claims.
In conducting its probe, the auditor gathered the detailed records on more than 1 million unemployment claims filed between Jan. 1 and Dec. 10 of 2020. The breach left all of them exposed when an “unauthorized person” gained access to the data in late December.
McCarthy has blamed Accellion, the California tech company whose aging data-transfer service was compromised by hackers. Her office had relied on the service for more than a decade.
Accellion executives say they’d long been urging customers to upgrade to the firm’s newer, more secure file-transfer service. The auditor’s office was in the process of doing that when the breach occurred in late December.
McCarthy did not appear at the hearing Tuesday. A representative of her office, Scott Nelson, briefly testified that the auditor supports the proposed legislation, but is “anxious” to ensure it does not interfere with her office’s audit authority.
Weaver, the state’s CIO, who runs the central tech-services agency known as WaTech, said the legislation would “solidify” the role of the state cybersecurity office and allow a “whole of government approach” to warding off threats by hackers.
The legislation would require state agencies to report major cybersecurity incidents to the OCS within 24 hours of discovery. The OCS would be required to investigate such breaches and serve as the state’s “point of contact” for all such incidents.
The bill also would require WaTech, along with the state Attorney General’s Office, to research best practices for data protection and submit a report to the Legislature by Dec. 1.
Sawyer said work is ongoing to further strengthen the legislation as it moves forward.
Carlyle said Washington, which is home to a vast array of tech companies and talent, should be in the “top tier” of cybersecurity nationally. “We are not meeting that standard today,” he said at the hearing.
While state lawmakers scramble to fix gaps in the data security, the auditor’s office data breach already is spawning potentially massive legal actions, with two class-action lawsuits filed last week in King County Superior Court.
The first, filed on Feb. 2, names Accellion as a defendant. The second, filed Feb. 5, names both Accellion and the state auditor’s office. Both seek monetary damages and attorney’s fees on behalf of anyone harmed by the data breach.