WeVote

Bill

Bill

SB 5014

Concerning election security.

2025-2026 Regular Session Introduced by Jess Bateman and 9 co-sponsors

SB 5014 requires faster breach disclosures, expanded preapproval for election tech, and mandatory 24/7 intrusion detection with network partitioning to safeguard election systems.

Effective date 7/27/2025.
0
WeVote Research Nonpartisan
Bill Summary · SB 5014

Summary — SB 5014 (2025): Concerning election security

Overview / Purpose

SB 5014 strengthens electronic and physical security requirements for Washington State election infrastructure. The bill expands the types of systems that require preapproval by the Secretary of State, mandates specific county cybersecurity measures (including network partitioning and use of the “.gov” domain), and creates immediate breach‑reporting obligations for vendors, manufacturers, and county election offices. It is intended to reduce cyber threats, improve incident detection and response, and protect voter and election data integrity.

Key provisions

  • Expansion of Secretary of State preapproval (amends RCW 29A.12.050):

    • Requires Secretary preapproval, prior to use in any primary or election, of:
    • Voting systems/devices and vote‑tallying systems; and
    • Any mechanical, electromechanical, or electronic equipment/platform (software, firmware, hardware) used to:
      • issue ballots;
      • facilitate voters’ response to required notices;
      • provide an electronic means to submit a ballot declaration signature (RCW 29A.60.165);
      • issue, authenticate, or validate voter identification;
    • Any system or part the Secretary determines requires prior approval.
    • Secretary may, after review, determine that certain modifications do not require full reexamination/reapproval.
  • Breach disclosure requirements (amends RCW 29A.12.180):

    • Manufacturers/distributors of certified voting systems must immediately disclose breaches to the Secretary of State and Attorney General if the breach either:
    • has (or is reasonably likely to have) compromised election security/confidentiality/integrity; or
    • resulted in (or likely resulted in) unauthorized acquisition of personal information that was not secured.
    • Same immediate‑disclosure requirement applies to:
    • organizations contracted to support the voter registration database or official voter list;
    • county auditors or county IT directors for counties participating in the shared voter registration system or operating certified voting systems, when malicious activity or breaches are detected by IDS, domain blocking/reporting, or endpoint security tools and meet similar compromise/personal‑information criteria.
    • “Personal information” is defined by existing statute (RCW 19.255.005/010) and includes SSNs, driver’s license numbers, full DOB, biometric data, account numbers, etc.
  • County cybersecurity requirements:

    • Each county must install and maintain an intrusion detection system (IDS) that passively monitors network traffic 24/7/365, operated by a qualified/trained security team with access to cyber‑incident response personnel.
    • Systems must support government‑unique security needs and be able to receive cyberintelligence/threat updates.
    • Legislative findings encourage adoption of “.gov” top‑level domain for official websites and email and require partitioning (physical/logical separation) of election/voting IT infrastructure from other county assets to reduce risk.

Who is affected

  • County auditors and county IT departments (all counties) — must implement IDS, partition election systems, adopt recommended .gov domain use, and report breaches.
  • Vendors, manufacturers, distributors, and contractors who supply or support voting systems, voter registration databases, or the official voter list — required to timely disclose breaches to state officials.
  • Secretary of State — gains expanded approval authority and new reporting responsibilities.
  • Attorney General — receives breach notifications for coordinated legal/response action.

Timeline & implementation

  • Legislature intends county adoption of security measures “as soon as practicable, but no later than July 1, 2027.” (Extensions possible after consultation with the county auditor.)
  • Governor signed: May 17, 2025 (Chapter 329, 2025 Laws).
  • Effective date: July 27, 2025.

Procedural history (high level)

  • Prefiled Dec 5, 2024; passed both chambers with unanimous recorded votes (Senate 48–0; House 97–0); delivered to and signed by Governor May 17, 2025.

Practical impact / considerations

  • Increases operational and compliance obligations for counties and vendors (IDS implementation, network partitioning, domain changes, rapid incident reporting).
  • Strengthens central oversight of equipment used in election administration.
  • Requires coordination among counties, the Secretary of State, the Attorney General, and private vendors for incident detection and response.
  • Costs, technical feasibility, and support mechanisms for smaller counties (to implement IDS and partitioning) may be practical considerations during the July 1, 2027 compliance window.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.