Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

Washington lawmakers look to improve government cybersecurity after breach at auditor’s office

In this Jan. 7, 2021 photo, the Legislative Building is shown partially shrouded in fog at the Capitol in Olympia, Wash.   (Ted S. Warren)

OLYMPIA – Washington lawmakers are hoping to improve cybersecurity and data sharing within the state government after a fraud attack at the Employment Security Department cost the state hundreds of millions of dollars last year and a breach involving the State Auditor’s Office exposed more than 1 million people’s personal information.

If passed, the two bills heard in committee Tuesday would boost cybersecurity at state government agencies. A bill requested by Gov. Jay Inslee would create an Office of Cybersecurity to work with state agencies to create security standards and respond to major cybersecurity incidents at state agencies. A second, Republican-sponsored bill would require the Employment Security Department and the Department of Labor and Industries to examine and potentially replace their use of full social security numbers.

Sen. Reuven Carlyle, D-Seattle, said now is a time with “historic cybersecurity threats” and the state needs to have the highest quality system to protect against them.

“We are not meeting those standards today,” said Carlyle, co-sponsor of the bill to create a new office of cybersecurity.

Carlyle’s bill was requested by Inslee last week after the breach at the Auditor’s Office. Accellion, a third-party provider the office used to transmit files, experienced a security breach in December, exposing the personal information of people who filed for unemployment claims in 2020. The data included the person’s name, social security number, driver’s license or state identification number, bank information and place of employment.

The files affected were part of an audit the office was doing on the Employment Security Department, which paid out between $550 and $650 million in fraudulent claims last year. Of those, only about $342 million had been recovered.

“It is ironic that this would happen, but that really is the situation,” Auditor Pat McCarthy said.

The office had used Accellion for 13 years and was in the process of switching from its 20-year-old product to a newer secure tool when the breach happened.

Carlyle’s bill would create the Office of Cybersecurity within the existing Office of the Chief Information Officer. The new office would establish security standards and policies for the state and develop a centralized cybersecurity protocol, according to the bill. It would also be charged with investigating all cybersecurity incidents at state agencies.

The office would also be required to research existing best practices for data protection and submit a report to the Legislature by the end of the year.

The bill would give strong central authority to the Office of Cybersecurity and enable statewide collaboration on data protection, Sheri Sawyer, of the Office of the Governor, told the Senate Environment, Energy and Technology Committee.

This bill would clarify guidelines for the Office of the Chief Information Officer and provide a path forward for dealing with data breaches, state Chief Information Officer Jim Weaver said.

Republicans told reporters on Tuesday the state did not need to be creating another governmental entity to deal with this issue, as the Office of the Chief Information Officer already exists.

That office needs to be empowered to take on cybersecurity issues, Sen. Ann Rivers, R-La Center, said. Although she acknowledged the new office would exist within the Office of the Chief Information Officer, she said adding more bureaucracy would only cause more problems.

“Adding more government is not the solution,” Senate Minority Leader John Braun, of Centralia, said.

One solution Republicans have proposed is a bill by Rep. Gina Mosbrucker, R-Goldendale, that would remove some uses of full social security numbers from some agencies. Specifically, it would require the Employment Security Department and the Department of Labor and Industries to examine where they are currently using full social security numbers and potentially replace them with encrypted versions. It would also require them to stop sharing those numbers with nongovernmental third parties.

“We need to make sure if there’s ways to take action that we take action and find an encryption mode to protect the identity of those we serve,” she told the state Labor and Workplace Standards Committee.

The bill had support in its public hearing, although some groups, such as the Department of Labor and Industries and the Consumer Data Industry Association, had concerns with the vagueness of the bill’s language.

“We do think this is the right direction,” Tammy Fellion, of the Department of Labor and Industries, said.

Mosbrucker said this bill was just a matter of getting started and the issue needed to be addressed.

Both bills had their first public hearing in committee on Tuesday. The cut-off date for them to pass out of their committees is Monday.

Laurel Demkovich's reporting for The Spokesman-Review is funded in part by Report for America and by members of the Spokane community. This story can be republished by other organizations for free under a Creative Commons license. For more information on this, please contact our newspaper’s managing editor.