HB 394-EXECUTIVE BRANCH RECORDS SECURITY  8:07:12 AM CHAIR LYNN announced that the first order of business was HOUSE BILL NO. 394, "An Act relating to the data processing and telecommunications activities of the state; relating to the security of certain data processing records of the executive branch and making the Department of Administration responsible for the security of those records; and making the commissioner of administration the chief information officer." 8:07:28 AM REPRESENTATIVE WES KELLER, Alaska State Legislature, as sponsor, introduced HB 394. He said the ability to use computers to exchange information and cross distances and time has changed the way people live. He stated that the primary goal of HB 394 is to ensure that state records do not get released inappropriately. The bill would put together a management system by which to define the standards being used for the security of various records and the exchange of those records. He mentioned some departments and the types of records they keep. He offered his understanding that $400 million was recently spent in the Department of Education to expand a database which currently tracks each student to also track the education of each student. He said the bill does not propose to define each individual database, but proposes a situation in which each department would retain its own information technology (IT) system and a central information officer in the state would be added. 8:14:36 AM REPRESENTATIVE KELLER, in response to Chair Lynn, said the state's data processors tell him there are "very sophisticated hits on the information in the state daily." In response to a follow-up question, he said there are no provisions in the bill for backup of data. He explained that it is difficult to write a bill regarding technology, because technology changes so fast. CHAIR LYNN clarified that he wants to know if there will be a requirement for records to be backed up, without naming the method by which that would be done. He talked about the vulnerability of paper records to fires. 8:17:14 AM REPRESENTATIVE KELLER responded that the point made by Chair Lynn is exactly why he introduced this bill. He indicated that backup standards should protect records, but said HB 394 does not specify how that must be done. He clarified that the proposed legislation would result in a starting system upon which other efficiencies could later be initiated. 8:18:21 AM REPRESENTATIVE KELLER reminded the committee that in 2002, there was a security leak, and the following information of some state workers was leaked: name, social security number, and date of birth. Specifically, a contractor with the state lost the information. He offered further details. REPRESENTATIVE KELLER said HB 394 would designate the commissioner of the Department of Administration as the person to establish protocols and standards related to security. He said the Department of Administration seemed logical to him, but he said he does not care which department, as long as a structure is in place. 8:21:32 AM JIM POUND, Staff, Representative Wes Keller, Alaska State Legislature, on behalf of Representative Keller, sponsor of HB 394, highlighted Section 4, beginning on page 3, line 28, as being the most important section of the bill. Everything prior to Section 4, he explained, is existing language in statute. Mr. Pound said security breaches in computer technology are a worldwide problem. He said currently each department has its own security measures for records, but the proposed legislation would "establish a single plan for security in the state of Alaska." He added that whatever the plan is, it will have to be updated frequently to guard against hackers. 8:23:43 AM REPRESENTATIVE KELLER remarked that he had no intent in sponsoring HB 394 to demean the standards that are currently in place in the various state departments. 8:24:08 AM REPRESENTATIVE GATTO directed attention to language in the bill title, on page 1, line 3, which read "making the Department of Administration responsible". Next, he pointed to language in the fiscal note prepared by Guy Bell, the assistant commissioner of the Department of Labor and Workforce Development, who writes that the proposed legislation "places overall authority". He then highlighted that the fiscal note prepared by Anna Kim, the director of Administrative Services, says that [HB 394] "allows" the Department of Administration to create regulations. Finally, he pointed out that the sponsor statement read that the HB 394 "assigns" [the department]. He opined that it would be helpful to use the same word, and he questioned whether that word should be "designates." 8:25:04 AM REPRESENTATIVE KELLER responded that the only assigning proposed by the bill is that of the chief information officer (CIO), who would not be able to "access ... anyone's ... HIPA record," because that would be illegal. 8:26:38 AM REPRESENTATIVE GRUENBERG directed attention to page 4, line 15, which read as follows: (d) The department shall adopt regulations to implement this section. REPRESENTATIVE GRUENBERG relayed that Mr. Brooks told him the regulations would be adopted under the Administrative Procedures Act, AS 44.62. He then directed attention to language on page 4, line 29, which would set a due date for the first report "on January 1 of the fifth calendar year after this Act takes effect." He opined that five years is a long time to wait for a report. He asked the bill sponsor what he thinks about changing that requirement to the third or fourth year in order to get progress reports sooner. 8:27:34 AM REPRESENTATIVE KELLER said he would support that. In response to a follow-up question, he said he would appreciate it if Representative Gruenberg would ask the department for its recommendation regarding when the first report could be expected. 8:28:30 AM REPRESENTATIVE SEATON noted that HB 394 is about security of records and proposes that the department is "responsible for the operation and management of automatic data processing resources". He directed attention to language on page 4, beginning on line 21, which read as follows: (1) "data processing records" means the records that are produced or maintained by the automatic data processing resources and activities of the state agency and that are not being held by the Alaska State Archives; REPRESENTATIVE SEATON noted that subsection (2), on page 3, beginning on line 3, addresses management of records, which is under existing statutes. He observed that the new language in Section 4 addresses only automatic data processing records, whereas state agencies currently deal with records. He asked if that is the intent of the sponsor. 8:29:57 AM REPRESENTATIVE KELLER responded that his intent was "to make the protocol standards structure over all records in the state," and he said he finds the word "automatic" confusing. He said he would like the department to weigh in on that word. CHAIR LYNN emphasized the urgency of protecting the state's information. 8:31:23 AM REPRESENTATIVE SEATON asked for clarification whether that language means that the commissioner will have sole responsibility or there will be designees involved. REPRESENTATIVE KELLER offered his understanding that there would be a team of designees, but that the responsibility would lie with the commissioner of the Department of Administration. REPRESENTATIVE SEATON explained that he is trying to figure out if the wording accomplishes the intent. He asked if there are other subsections addressing strictly IT functions or other duties and powers of the commissioner. REPRESENTATIVE KELLER responded, "I assume it's the comprehensive description of the responsibilities of the Department of Administration, and that's worth checking." 8:34:29 AM RACHAEL PETRO, Deputy Commissioner, Department of Administration, stated that HB 394 would affect not only the Department of Administration, but all the departments within the executive branch. She said every department in the executive branch is subject to different federal requirements. For example, the Department of Public Safety manages the criminal justice information system, which has specific FBI policies it must follow, and both the Department of Health & Social Services and the Division of Retirement and Benefits within the Department of Administration must adhere to the Health Insurance Portability and Accountability Act (HIPA). Essentially, she related, departments are concerned that the provision in HB 394 would somehow put them out of compliance with federal laws. For that reason, she said, the administration is not ready to take a position on the proposed legislation, but is very committed to working with Representative Keller to insure that the various requirements are accommodated. 8:36:19 AM MS. PETRO said she would provide an update of where the administration is regarding the implementation of security procedures and policies on a statewide basis, and how that relates directly to Section 4 of the proposed legislation. She reminded the committee about the passage of House Bill 65 years ago, which was the Personal Information Protection Act (PIPA). That bill, along with the initiatives and efforts that ensued in the Department of Administration and throughout the executive branch provided further impetus to identify information security officers and computer security designees within each executive branch agency, as a means of ensuring that each department has a focus on securing its information system. She stated that essentially, the information security officers and computer security designees within each department provide the basic security infrastructure within each department for ongoing security initiative. She said the information security officers are designated by each department's commissioner. MS. PETRO stated that security awareness and best practices training is currently under development through a contract with the University of Memphis, and on line training for department information security officers (ISOs) and computer security designees (CSDs) is expected to be available about this time next year. Eventually, all state employees, as well as political subdivisions of the state will be able to avail themselves of this training. Currently, she said, security policies and procedures are in place, but the Security Office of the Enterprise Technology Services Division within the Department of Administration is currently working to update those security policies. The policies, she related, are based on the Information Technology Infrastructure Library (ITIL) standard. She added that ITIL is the industry leader for IT best practices. Ms. Petro stated that these policies will be disseminated through department information security officers, and, at that point, they will be reviewed and discussion may result in policy modification to address conflict with existing department business practice, as well as specific requirements of different departments. MS. PETRO stated that the next step will be to put auditing in place, to ensure that everyone involved is complying with the security policies. The department is in the process of developing those tools, and will be implementing that process first within the Department of Administration. 8:39:25 AM MS. PETRO addressed previously stated concerns of the committee. First, regarding Representative Gruenberg's concern about the time frame for reporting, she said she thinks two to three years would be acceptable, given the department's current progress in implementing policies and procedures, which, she added, are being designed to allow each department to modify to fit their business needs. In response to Representative Seaton's previously expressed concern about definitions, Ms. Petro related that the department heard from at least one other department that is also concerned about the definitions. She said the definitions definitely need to be "cleaned up." She noted that in 20 years the state will not be talking about paper documents - all technology will be computerized. She said the department would be happy to work with the bill sponsor regarding the definitions and "how they relate." Ms. Petro offered to answer questions. 8:40:50 AM CHAIR LYNN asked if there is any language in the bill as it is currently drafted that would cause problems for the department. MS. PETRO, in response, reiterated that the department would like to work with the bill sponsor and the departments to ensure that there is no problematic language, and would prefer to do so "before the bill is passed." CHAIR LYNN restated the urgency of passing legislation on this issue. 8:43:13 AM REPRESENTATIVE GATTO, regarding the fiscal note from Guy Bell, directed attention to the last sentence of the analysis, which read as follows: The cost to the department's business units of complying with any new policies derived as a result of this legislation is indeterminate. REPRESENTATIVE GATTO observed that the amount for fiscal year 2011 (FY 11) shows as zero, as if it could be determined. He asked if there is some way to make the fiscal note "reflect more accurately what the cost of this activity will be." 8:44:51 AM MS. PETRO responded that currently state departments are required to follow statewide security policies, which is the cost of doing business. She said there may be some changes in the future, but "it is part of what we do every day today." She said although there may be future, discreet, specific budget requests "related to the items," she does not anticipate any additional costs associated with the newer, updated policies to come. REPRESENTATIVE GATTO asked if Ms. Petro believes that "putting all the information in the hands of one department" will enhance or diminish security. He pointed out that if a hacker gets into the system, he/she may get more information in one attempt. MS. PETRO answered that the proposed legislation would not do anything to consolidate databases that are centered on different departments and divisions of state government. In Section 4, she said, the proposed bill outlines that the Department of Administration, through the CIO, would develop and adopt standards, policies, and procedures. She said current policies are being updated. Regarding security philosophy, Ms. Petro stated that the department subscribes to the view of security in depth. She said there are varying strategies related to IT infrastructures, and she indicated that in-depth strategy is the industry standard. 8:47:22 AM KEVIN BROOKS, Deputy Commissioner, Department of Administration, stated that it is important to remember that the state has been spending a significant amount of money in the last five years reinforcing its data networks. He said each department is the keeper of its own data, whether paper or digitized. The State Archives has rules regarding how paper documents are stored. He said the words "automatic data processing" were probably put into statute in the 1970s when "punch cards" were still in use. Mr. Brooks said the Department of Administration is trying to secure the state's wide area network, into which all state agencies join. Then those departments have their own local area networks. He said even the legislature is part of the state's wide area network. He said the department is working to secure that infrastructure, but it is a collaborative effort with all the other departments. Regarding the indeterminate fiscal note, he stated, "Responses to real threats in the future could result in ... responses by the state and state agencies that could cost money, and I think it's indeterminate because it's just really unknown at this time what you might be looking at." 8:49:58 AM REPRESENTATIVE SEATON directed attention to language on page 4, lines 4-6, which read as follows: (b) The department shall (1) develop, implement, and maintain policies to ensure that data processing records are secure from unlawful release; REPRESENTATIVE SEATON asked if the department is doing that now or if each individual department currently is required to do that, but under HB 394 the Department of Administration would be responsible. 8:50:36 AM MS. PETRO confirmed that the Department of Administration is doing that now, because the baseline policies that govern the state's wide area network and all departments within the executive branch are dependent upon that network. She explained the reason she had mentioned House Bill 65 previously is because that bill was a direct impetus that helped the Department of Administration organize other departments and ensure that there are information security officers key in each department to ensure that those departments follow the area wide network requirements, as well as their own business requirements. REPRESENTATIVE SEATON directed attention to the ensuing language on page 4, lines 7-9, which read as follows: (2) define the responsibilities for the security of the data processing records of each state agency, communicate the responsibilities to the state agency, and coordinate the responsibilities among state agencies; and REPRESENTATIVE SEATON asked, "Would that be expanded under this bill beyond what you're doing currently with the wide area network?" MS. PETRO said she does not think the department's efforts would be expanded beyond what is currently being done. REPRESENTATIVE SEATON said he presumes the answer would be the same regarding paragraph (3), which read as follows: (3) establish procedures for maintaining the security of the data processing records and provide training for stage agency personnel to implement the procedures. REPRESENTATIVE SEATON returned to the term "automatic data processing" in Section 4, and asked, "Do you see that your currently responsibility - what you're doing - is encompassing that, or do you see your current responsibility as larger than that for automatic data processing ... resources?" MS. PETRO answered that she foresees no expansion of the department's responsibilities under Section 4 of HB 394. 8:53:40 AM MS. PETRO, in response to Representative Gruenberg, confirmed that the department would be able to handle a requirement to file a first report in two years. 8:54:22 AM REPRESENTATIVE JOHNSON noted that under HB 394, the five years is given as the deadline for the first report only; each subsequent report would be due every two years. He said he wonders if the reason for that is to give the department a chance to put a new system in place. REPRESENTATIVE GRUENBERG said that is probably the reason, but he wants to the report to be produced sooner. REPRESENTATIVE JOHNSON asked Ms. Petro if "this" would in any way remove accountability from the department for its own security and place that on the administration. 8:55:29 AM MS. PETRO prefaced her answer by saying she is not an attorney. She reiterated that Section 4, as currently written, would not expand the responsibilities of the Department of Administration, which is currently working collaboratively with other departments out of necessity. She stated, "The information technology infrastructure on which every department builds its specific business systems to meet ... the needs of their constituents are reliant on what we do at the Department of Administration. We are intertwined." REPRESENTATIVE JOHNSON clarified that he is talking about accountability, not responsibility. MS. PETRO said she thinks with the development of updated policies and standards will come additional accountability. She reiterated that the updating is already taking place. 8:58:03 AM REPRESENTATIVE SEATON referred to the final sentence in the fiscal analysis written by Anna Kim, which read as follows [original punctuation provided]: Additionally, with the Commissioner of Administration fulfilling the role of Enterprise CIO, each agency head will lose the critical and important responsibility for department data storage, security, and protocols. REPRESENTATIVE SEATON asked Ms. Petro if there is just a philosophical agreement "as to whether that's correct in the fiscal note." MS. PETRO reiterated that there are different concerns from different departments that need to be addressed. The department needs to work with the sponsor to ensure that everyone's concerns are addressed. 9:00:30 AM REPRESENTATIVE PETERSEN directed attention to Section 3 and questioned if there might be an issue of separation of powers. 9:00:56 AM CLYDE "ED" SNIFFEN, JR., Senior Assistant Attorney General, Commercial/Fair Business Section, Civil Division (Anchorage), Department of Law, said he does not have an answer at this time, but will look into that. Notwithstanding that, he said his initial reaction is that he does not think there is an issue related to the separation of powers. 9:01:21 AM REPRESENTATIVE SEATON asked Mr. Sniffen if the Department of Law has any of the same concerns that the Department of Education has expressed. 9:01:32 AM MR. SNIFFEN answered no. He concurred with Ms. Petro's previous statement that the bill would not expand any of the responsibilities currently in place for the Department of Administration, and he said he is unsure how the bill would affect the Department of Education's role in continuing to do what is necessary to protect its information. He said just because he does not understand the concern of the Department of Education does not mean there is no reason for it, and he said it would be interesting to find out what that concern is in a little more detail. 9:02:19 AM REPRESENTATIVE JOHNSON offered his understanding that Mr. Sniffen questioned the separation of powers issue. He stated, "This clearly says agencies mean agencies of the executive branch." He said the Department of Law is an executive branch, and he asked, "We're not thinking about the court system here are we?" MR. SNIFFEN answered that is correct, which is why he does not think there is a problem "with this language here." He explained that he just has not had a chance to talk about the issue much. REPRESENTATIVE JOHNSON asked for confirmation that "it doesn't include the legislature either," only the executive branch. MR. SNIFFEN answered that is correct. 9:03:09 AM CHAIR LYNN, after ascertaining that there was no one else who wished to testify, closed public testimony. 9:03:21 AM REPRESENTATIVE SEATON expressed concern that Section 3 seems to be dealing only with automatic data processing resources. He opined that if the bill is trying to coordinate activities, Section 3 should list all the pieces of information that are intended. In response to Chair Lynn, he said he is not ready to offer an amendment without further consideration of the matter. 9:05:02 AM REPRESENTATIVE GRUENBERG moved to adopt Amendment 1, as follows: Page 4, line 29: Delete "fifth" Insert "second" 9:05:19 AM REPRESENTATIVE JOHNSON suggested that the requirement on page 4, line 29, could be deleted, since there is already a requirement [in subsection (e), on page 4, lines 16-19] for a report to be submitted every two years. 9:05:44 AM MS. PETRO said Representative Johnson's suggestion would work. 9:05:51 AM REPRESENTATIVE GRUENBERG offered his understanding that the sponsor nodded his head in response. 9:06:01 AM REPRESENTATIVE GRUENBERG withdrew Amendment 1. 9:06:07 AM REPRESENTATIVE GRUENBERG moved to adopt Amendment 2, as follows: Page 4, lines 26-30: Delete Section 5 [Amendment 2 was treated as adopted.] 9:07:04 AM REPRESENTATIVE GATTO moved to report HB 394, as amended, out of committee with individual recommendations and the accompanying fiscal notes. There being no objection, CSHB 394(STA) was reported out of the House State Affairs Standing Committee.