
Chapter 291, Laws of 2021, established WaTech’s state Office of Cybersecurity (OCS) as the state’s lead organization in combatting cyber threats and created a clear mandate for the development of centralized services and functions across state government.
Section 4 requires OCS to research, examine and report on existing data protection best practices in collaboration with the Office of Privacy and Data Protection (OPDP) and the Office of the Attorney General. Specifically, the report must contemplate:
…best practices for data governance, data protection, the sharing of data relating to cybersecurity, and the protection of state and local governments’ information technology systems and infrastructure including, but not limited to, model terms for data-sharing contracts and adherence to privacy principles.
This report is divided into three sections:
• Cybersecurity: Section one discusses current cybersecurity threats and trends, key findings that identify areas for improvement, and recommendations based on leading industry best practices for closing gaps and improving the state’s security posture.
• Privacy: Section two provides an overview of existing privacy principles and opportunities to further strengthen adherence, as well as background on existing privacy frameworks and maturity models.
• Data sharing: Section three addresses new and existing data sharing agreement requirements. It includes steps agencies can take to identify when a data sharing agreement is needed, and effectively implement and monitor agreements.
• Privacy: Section two provides an overview of existing privacy principles and opportunities to further strengthen adherence, as well as background on existing privacy frameworks and maturity models.
• Data sharing: Section three addresses new and existing data sharing agreement requirements. It includes steps agencies can take to identify when a data sharing agreement is needed, and effectively implement and monitor agreements.
While this report includes best practices and guidance that agencies can use to improve cybersecurity and privacy activities, it does not carry the effect of law and is not legal advice.