Legislature(2009 - 2010)CAPITOL 106
03/18/2010 08:00 AM House STATE AFFAIRS
| Audio | Topic |
|---|---|
| Start | |
| HB394 | |
| HB53 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| *+ | HB 394 | TELECONFERENCED | |
| += | HB 53 | TELECONFERENCED | |
| + | TELECONFERENCED |
HB 394-EXECUTIVE BRANCH RECORDS SECURITY
8:07:12 AM
CHAIR LYNN announced that the first order of business was HOUSE
BILL NO. 394, "An Act relating to the data processing and
telecommunications activities of the state; relating to the
security of certain data processing records of the executive
branch and making the Department of Administration responsible
for the security of those records; and making the commissioner
of administration the chief information officer."
8:07:28 AM
REPRESENTATIVE WES KELLER, Alaska State Legislature, as sponsor,
introduced HB 394. He said the ability to use computers to
exchange information and cross distances and time has changed
the way people live. He stated that the primary goal of HB 394
is to ensure that state records do not get released
inappropriately. The bill would put together a management
system by which to define the standards being used for the
security of various records and the exchange of those records.
He mentioned some departments and the types of records they
keep. He offered his understanding that $400 million was
recently spent in the Department of Education to expand a
database which currently tracks each student to also track the
education of each student. He said the bill does not propose to
define each individual database, but proposes a situation in
which each department would retain its own information
technology (IT) system and a central information officer in the
state would be added.
8:14:36 AM
REPRESENTATIVE KELLER, in response to Chair Lynn, said the
state's data processors tell him there are "very sophisticated
hits on the information in the state daily." In response to a
follow-up question, he said there are no provisions in the bill
for backup of data. He explained that it is difficult to write
a bill regarding technology, because technology changes so fast.
CHAIR LYNN clarified that he wants to know if there will be a
requirement for records to be backed up, without naming the
method by which that would be done. He talked about the
vulnerability of paper records to fires.
8:17:14 AM
REPRESENTATIVE KELLER responded that the point made by Chair
Lynn is exactly why he introduced this bill. He indicated that
backup standards should protect records, but said HB 394 does
not specify how that must be done. He clarified that the
proposed legislation would result in a starting system upon
which other efficiencies could later be initiated.
8:18:21 AM
REPRESENTATIVE KELLER reminded the committee that in 2002, there
was a security leak, and the following information of some state
workers was leaked: name, social security number, and date of
birth. Specifically, a contractor with the state lost the
information. He offered further details.
REPRESENTATIVE KELLER said HB 394 would designate the
commissioner of the Department of Administration as the person
to establish protocols and standards related to security. He
said the Department of Administration seemed logical to him, but
he said he does not care which department, as long as a
structure is in place.
8:21:32 AM
JIM POUND, Staff, Representative Wes Keller, Alaska State
Legislature, on behalf of Representative Keller, sponsor of HB
394, highlighted Section 4, beginning on page 3, line 28, as
being the most important section of the bill. Everything prior
to Section 4, he explained, is existing language in statute.
Mr. Pound said security breaches in computer technology are a
worldwide problem. He said currently each department has its
own security measures for records, but the proposed legislation
would "establish a single plan for security in the state of
Alaska." He added that whatever the plan is, it will have to be
updated frequently to guard against hackers.
8:23:43 AM
REPRESENTATIVE KELLER remarked that he had no intent in
sponsoring HB 394 to demean the standards that are currently in
place in the various state departments.
8:24:08 AM
REPRESENTATIVE GATTO directed attention to language in the bill
title, on page 1, line 3, which read "making the Department of
Administration responsible". Next, he pointed to language in
the fiscal note prepared by Guy Bell, the assistant commissioner
of the Department of Labor and Workforce Development, who writes
that the proposed legislation "places overall authority". He
then highlighted that the fiscal note prepared by Anna Kim, the
director of Administrative Services, says that [HB 394] "allows"
the Department of Administration to create regulations.
Finally, he pointed out that the sponsor statement read that the
HB 394 "assigns" [the department]. He opined that it would be
helpful to use the same word, and he questioned whether that
word should be "designates."
8:25:04 AM
REPRESENTATIVE KELLER responded that the only assigning proposed
by the bill is that of the chief information officer (CIO), who
would not be able to "access ... anyone's ... HIPA record,"
because that would be illegal.
8:26:38 AM
REPRESENTATIVE GRUENBERG directed attention to page 4, line 15,
which read as follows:
(d) The department shall adopt regulations to
implement this section.
REPRESENTATIVE GRUENBERG relayed that Mr. Brooks told him the
regulations would be adopted under the Administrative Procedures
Act, AS 44.62. He then directed attention to language on page
4, line 29, which would set a due date for the first report "on
January 1 of the fifth calendar year after this Act takes
effect." He opined that five years is a long time to wait for a
report. He asked the bill sponsor what he thinks about changing
that requirement to the third or fourth year in order to get
progress reports sooner.
8:27:34 AM
REPRESENTATIVE KELLER said he would support that. In response
to a follow-up question, he said he would appreciate it if
Representative Gruenberg would ask the department for its
recommendation regarding when the first report could be
expected.
8:28:30 AM
REPRESENTATIVE SEATON noted that HB 394 is about security of
records and proposes that the department is "responsible for the
operation and management of automatic data processing
resources". He directed attention to language on page 4,
beginning on line 21, which read as follows:
(1) "data processing records" means the records that
are produced or maintained by the automatic data
processing resources and activities of the state
agency and that are not being held by the Alaska State
Archives;
REPRESENTATIVE SEATON noted that subsection (2), on page 3,
beginning on line 3, addresses management of records, which is
under existing statutes. He observed that the new language in
Section 4 addresses only automatic data processing records,
whereas state agencies currently deal with records. He asked if
that is the intent of the sponsor.
8:29:57 AM
REPRESENTATIVE KELLER responded that his intent was "to make the
protocol standards structure over all records in the state," and
he said he finds the word "automatic" confusing. He said he
would like the department to weigh in on that word.
CHAIR LYNN emphasized the urgency of protecting the state's
information.
8:31:23 AM
REPRESENTATIVE SEATON asked for clarification whether that
language means that the commissioner will have sole
responsibility or there will be designees involved.
REPRESENTATIVE KELLER offered his understanding that there would
be a team of designees, but that the responsibility would lie
with the commissioner of the Department of Administration.
REPRESENTATIVE SEATON explained that he is trying to figure out
if the wording accomplishes the intent. He asked if there are
other subsections addressing strictly IT functions or other
duties and powers of the commissioner.
REPRESENTATIVE KELLER responded, "I assume it's the
comprehensive description of the responsibilities of the
Department of Administration, and that's worth checking."
8:34:29 AM
RACHAEL PETRO, Deputy Commissioner, Department of
Administration, stated that HB 394 would affect not only the
Department of Administration, but all the departments within the
executive branch. She said every department in the executive
branch is subject to different federal requirements. For
example, the Department of Public Safety manages the criminal
justice information system, which has specific FBI policies it
must follow, and both the Department of Health & Social Services
and the Division of Retirement and Benefits within the
Department of Administration must adhere to the Health Insurance
Portability and Accountability Act (HIPA). Essentially, she
related, departments are concerned that the provision in HB 394
would somehow put them out of compliance with federal laws. For
that reason, she said, the administration is not ready to take a
position on the proposed legislation, but is very committed to
working with Representative Keller to insure that the various
requirements are accommodated.
8:36:19 AM
MS. PETRO said she would provide an update of where the
administration is regarding the implementation of security
procedures and policies on a statewide basis, and how that
relates directly to Section 4 of the proposed legislation. She
reminded the committee about the passage of House Bill 65 years
ago, which was the Personal Information Protection Act (PIPA).
That bill, along with the initiatives and efforts that ensued in
the Department of Administration and throughout the executive
branch provided further impetus to identify information security
officers and computer security designees within each executive
branch agency, as a means of ensuring that each department has a
focus on securing its information system. She stated that
essentially, the information security officers and computer
security designees within each department provide the basic
security infrastructure within each department for ongoing
security initiative. She said the information security officers
are designated by each department's commissioner.
MS. PETRO stated that security awareness and best practices
training is currently under development through a contract with
the University of Memphis, and on line training for department
information security officers (ISOs) and computer security
designees (CSDs) is expected to be available about this time
next year. Eventually, all state employees, as well as
political subdivisions of the state will be able to avail
themselves of this training. Currently, she said, security
policies and procedures are in place, but the Security Office of
the Enterprise Technology Services Division within the
Department of Administration is currently working to update
those security policies. The policies, she related, are based
on the Information Technology Infrastructure Library (ITIL)
standard. She added that ITIL is the industry leader for IT
best practices. Ms. Petro stated that these policies will be
disseminated through department information security officers,
and, at that point, they will be reviewed and discussion may
result in policy modification to address conflict with existing
department business practice, as well as specific requirements
of different departments.
MS. PETRO stated that the next step will be to put auditing in
place, to ensure that everyone involved is complying with the
security policies. The department is in the process of
developing those tools, and will be implementing that process
first within the Department of Administration.
8:39:25 AM
MS. PETRO addressed previously stated concerns of the committee.
First, regarding Representative Gruenberg's concern about the
time frame for reporting, she said she thinks two to three years
would be acceptable, given the department's current progress in
implementing policies and procedures, which, she added, are
being designed to allow each department to modify to fit their
business needs. In response to Representative Seaton's
previously expressed concern about definitions, Ms. Petro
related that the department heard from at least one other
department that is also concerned about the definitions. She
said the definitions definitely need to be "cleaned up." She
noted that in 20 years the state will not be talking about paper
documents - all technology will be computerized. She said the
department would be happy to work with the bill sponsor
regarding the definitions and "how they relate." Ms. Petro
offered to answer questions.
8:40:50 AM
CHAIR LYNN asked if there is any language in the bill as it is
currently drafted that would cause problems for the department.
MS. PETRO, in response, reiterated that the department would
like to work with the bill sponsor and the departments to ensure
that there is no problematic language, and would prefer to do so
"before the bill is passed."
CHAIR LYNN restated the urgency of passing legislation on this
issue.
8:43:13 AM
REPRESENTATIVE GATTO, regarding the fiscal note from Guy Bell,
directed attention to the last sentence of the analysis, which
read as follows:
The cost to the department's business units of
complying with any new policies derived as a result of
this legislation is indeterminate.
REPRESENTATIVE GATTO observed that the amount for fiscal year
2011 (FY 11) shows as zero, as if it could be determined. He
asked if there is some way to make the fiscal note "reflect more
accurately what the cost of this activity will be."
8:44:51 AM
MS. PETRO responded that currently state departments are
required to follow statewide security policies, which is the
cost of doing business. She said there may be some changes in
the future, but "it is part of what we do every day today." She
said although there may be future, discreet, specific budget
requests "related to the items," she does not anticipate any
additional costs associated with the newer, updated policies to
come.
REPRESENTATIVE GATTO asked if Ms. Petro believes that "putting
all the information in the hands of one department" will enhance
or diminish security. He pointed out that if a hacker gets into
the system, he/she may get more information in one attempt.
MS. PETRO answered that the proposed legislation would not do
anything to consolidate databases that are centered on different
departments and divisions of state government. In Section 4,
she said, the proposed bill outlines that the Department of
Administration, through the CIO, would develop and adopt
standards, policies, and procedures. She said current policies
are being updated. Regarding security philosophy, Ms. Petro
stated that the department subscribes to the view of security in
depth. She said there are varying strategies related to IT
infrastructures, and she indicated that in-depth strategy is the
industry standard.
8:47:22 AM
KEVIN BROOKS, Deputy Commissioner, Department of Administration,
stated that it is important to remember that the state has been
spending a significant amount of money in the last five years
reinforcing its data networks. He said each department is the
keeper of its own data, whether paper or digitized. The State
Archives has rules regarding how paper documents are stored. He
said the words "automatic data processing" were probably put
into statute in the 1970s when "punch cards" were still in use.
Mr. Brooks said the Department of Administration is trying to
secure the state's wide area network, into which all state
agencies join. Then those departments have their own local area
networks. He said even the legislature is part of the state's
wide area network. He said the department is working to secure
that infrastructure, but it is a collaborative effort with all
the other departments. Regarding the indeterminate fiscal note,
he stated, "Responses to real threats in the future could result
in ... responses by the state and state agencies that could cost
money, and I think it's indeterminate because it's just really
unknown at this time what you might be looking at."
8:49:58 AM
REPRESENTATIVE SEATON directed attention to language on page 4,
lines 4-6, which read as follows:
(b) The department shall
(1) develop, implement, and maintain
policies to ensure that data processing records are
secure from unlawful release;
REPRESENTATIVE SEATON asked if the department is doing that now
or if each individual department currently is required to do
that, but under HB 394 the Department of Administration would be
responsible.
8:50:36 AM
MS. PETRO confirmed that the Department of Administration is
doing that now, because the baseline policies that govern the
state's wide area network and all departments within the
executive branch are dependent upon that network. She explained
the reason she had mentioned House Bill 65 previously is because
that bill was a direct impetus that helped the Department of
Administration organize other departments and ensure that there
are information security officers key in each department to
ensure that those departments follow the area wide network
requirements, as well as their own business requirements.
REPRESENTATIVE SEATON directed attention to the ensuing language
on page 4, lines 7-9, which read as follows:
(2) define the responsibilities for the
security of the data processing records of each state
agency, communicate the responsibilities to the state
agency, and coordinate the responsibilities among
state agencies; and
REPRESENTATIVE SEATON asked, "Would that be expanded under this
bill beyond what you're doing currently with the wide area
network?"
MS. PETRO said she does not think the department's efforts would
be expanded beyond what is currently being done.
REPRESENTATIVE SEATON said he presumes the answer would be the
same regarding paragraph (3), which read as follows:
(3) establish procedures for maintaining the
security of the data processing records and provide
training for stage agency personnel to implement the
procedures.
REPRESENTATIVE SEATON returned to the term "automatic data
processing" in Section 4, and asked, "Do you see that your
currently responsibility - what you're doing - is encompassing
that, or do you see your current responsibility as larger than
that for automatic data processing ... resources?"
MS. PETRO answered that she foresees no expansion of the
department's responsibilities under Section 4 of HB 394.
8:53:40 AM
MS. PETRO, in response to Representative Gruenberg, confirmed
that the department would be able to handle a requirement to
file a first report in two years.
8:54:22 AM
REPRESENTATIVE JOHNSON noted that under HB 394, the five years
is given as the deadline for the first report only; each
subsequent report would be due every two years. He said he
wonders if the reason for that is to give the department a
chance to put a new system in place.
REPRESENTATIVE GRUENBERG said that is probably the reason, but
he wants to the report to be produced sooner.
REPRESENTATIVE JOHNSON asked Ms. Petro if "this" would in any
way remove accountability from the department for its own
security and place that on the administration.
8:55:29 AM
MS. PETRO prefaced her answer by saying she is not an attorney.
She reiterated that Section 4, as currently written, would not
expand the responsibilities of the Department of Administration,
which is currently working collaboratively with other
departments out of necessity. She stated, "The information
technology infrastructure on which every department builds its
specific business systems to meet ... the needs of their
constituents are reliant on what we do at the Department of
Administration. We are intertwined."
REPRESENTATIVE JOHNSON clarified that he is talking about
accountability, not responsibility.
MS. PETRO said she thinks with the development of updated
policies and standards will come additional accountability. She
reiterated that the updating is already taking place.
8:58:03 AM
REPRESENTATIVE SEATON referred to the final sentence in the
fiscal analysis written by Anna Kim, which read as follows
[original punctuation provided]:
Additionally, with the Commissioner of Administration
fulfilling the role of Enterprise CIO, each agency
head will lose the critical and important
responsibility for department data storage, security,
and protocols.
REPRESENTATIVE SEATON asked Ms. Petro if there is just a
philosophical agreement "as to whether that's correct in the
fiscal note."
MS. PETRO reiterated that there are different concerns from
different departments that need to be addressed. The department
needs to work with the sponsor to ensure that everyone's
concerns are addressed.
9:00:30 AM
REPRESENTATIVE PETERSEN directed attention to Section 3 and
questioned if there might be an issue of separation of powers.
9:00:56 AM
CLYDE "ED" SNIFFEN, JR., Senior Assistant Attorney General,
Commercial/Fair Business Section, Civil Division (Anchorage),
Department of Law, said he does not have an answer at this time,
but will look into that. Notwithstanding that, he said his
initial reaction is that he does not think there is an issue
related to the separation of powers.
9:01:21 AM
REPRESENTATIVE SEATON asked Mr. Sniffen if the Department of Law
has any of the same concerns that the Department of Education
has expressed.
9:01:32 AM
MR. SNIFFEN answered no. He concurred with Ms. Petro's previous
statement that the bill would not expand any of the
responsibilities currently in place for the Department of
Administration, and he said he is unsure how the bill would
affect the Department of Education's role in continuing to do
what is necessary to protect its information. He said just
because he does not understand the concern of the Department of
Education does not mean there is no reason for it, and he said
it would be interesting to find out what that concern is in a
little more detail.
9:02:19 AM
REPRESENTATIVE JOHNSON offered his understanding that Mr.
Sniffen questioned the separation of powers issue. He stated,
"This clearly says agencies mean agencies of the executive
branch." He said the Department of Law is an executive branch,
and he asked, "We're not thinking about the court system here
are we?"
MR. SNIFFEN answered that is correct, which is why he does not
think there is a problem "with this language here." He
explained that he just has not had a chance to talk about the
issue much.
REPRESENTATIVE JOHNSON asked for confirmation that "it doesn't
include the legislature either," only the executive branch.
MR. SNIFFEN answered that is correct.
9:03:09 AM
CHAIR LYNN, after ascertaining that there was no one else who
wished to testify, closed public testimony.
9:03:21 AM
REPRESENTATIVE SEATON expressed concern that Section 3 seems to
be dealing only with automatic data processing resources. He
opined that if the bill is trying to coordinate activities,
Section 3 should list all the pieces of information that are
intended. In response to Chair Lynn, he said he is not ready to
offer an amendment without further consideration of the matter.
9:05:02 AM
REPRESENTATIVE GRUENBERG moved to adopt Amendment 1, as follows:
Page 4, line 29:
Delete "fifth"
Insert "second"
9:05:19 AM
REPRESENTATIVE JOHNSON suggested that the requirement on page 4,
line 29, could be deleted, since there is already a requirement
[in subsection (e), on page 4, lines 16-19] for a report to be
submitted every two years.
9:05:44 AM
MS. PETRO said Representative Johnson's suggestion would work.
9:05:51 AM
REPRESENTATIVE GRUENBERG offered his understanding that the
sponsor nodded his head in response.
9:06:01 AM
REPRESENTATIVE GRUENBERG withdrew Amendment 1.
9:06:07 AM
REPRESENTATIVE GRUENBERG moved to adopt Amendment 2, as follows:
Page 4, lines 26-30:
Delete Section 5
[Amendment 2 was treated as adopted.]
9:07:04 AM
REPRESENTATIVE GATTO moved to report HB 394, as amended, out of
committee with individual recommendations and the accompanying
fiscal notes. There being no objection, CSHB 394(STA) was
reported out of the House State Affairs Standing Committee.
| Document Name | Date/Time | Subjects |
|---|---|---|
| 01 HB0394A.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |
| 02 HB 394 Sponsor.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |
| 03 HB394 IBM.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |
| 04 HB 394 Archive info.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |
| 05 HB 394 software options.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |
| 06 HB394-DOA-ETS-03-15-10.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |
| 01 HB 53- Bill.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 02 HSTA - HB 53 Sponsor Statement.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 03 HB053-OOG-EO-01-22-10.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 04 HSTA - HB 53 Sectional Analysis.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 05 HSTA - HB 53 Leg. Research Report.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 06 HSTA - HB 53 Back Up Charts.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 07 HSTA - HB 53 Statutues Affected by HB 53.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 08 HB 53 - Back Up Report.pdf |
HSTA 1/28/2010 8:00:00 AM HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| 09 HB 53 - Back Up Table.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| HB 53- CS.PDF |
HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| HB 53- Legal Memo.PDF |
HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| HB 53- Summary of Changes in CS Version R.PDF |
HSTA 3/18/2010 8:00:00 AM |
HB 53 |
| HB394-DOLWD-CO-03-17-10.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |
| HB394-EED-ESS-3-17-10.pdf |
HSTA 3/18/2010 8:00:00 AM |
HB 394 |