Skip to main content

ESHB 1610

In Committee

House

Critical energy infra./PRA

Concerning the disclosure of critical energy infrastructure information.

This status may be delayed. See Action History below for the latest updates.

How does a bill become law?
  1. Introduced: The bill is filed and assigned a number.
  2. Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
  3. Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
  4. Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
  5. Governor: The Governor reviews the bill and decides whether to sign or veto it.
  6. Signed: The bill has been signed into law.
Introduced: February 11, 2025
Last Action: January 12, 2026
Status: H State Govt & Tr

AI Analysis

This analysis was generated by AI and may contain errors. It is not legal advice. Always refer to the official bill text for authoritative information.
People & CommunitiesBalancedCorporate & Wealthy Interests

This bill adds a new public records exemption for sensitive information about critical energy infrastructure, including details about attacks, vulnerabilities, and emergency plans. It also expands existing exemptions for security-related information in schools, correctional facilities, and IT systems to prevent disclosure that could threaten public safety.

  • Adds a new exemption to Washington’s Public Records Act (RCW 42.56.420) for critical energy infrastructure information collected by the State Energy Resilience and Emergency Management Office.
  • Defines critical energy infrastructure as physical or virtual systems whose failure could disrupt energy supply and threaten public health, safety, or welfare.
  • Clarifies that critical energy infrastructure information includes data about actual or potential attacks, compromises, or disruptions — but excludes general locations or publicly available facts.
  • Expands existing exemptions to include security plans and vulnerability assessments for correctional facilities, schools, and computer/telecom networks — especially when disclosure could threaten safety or security.
  • Includes exemptions for security-related information shared with federal agencies and for personally identifiable information of employees of private cloud service providers under federal criminal justice information agreements.

Who is affected

  • State and local government agencies (e.g., Department of Commerce, emergency management offices)State, county, and local agencies responsible for energy infrastructure planning and emergency response must now keep certain vulnerability and security information confidential to prevent public disclosure that could threaten safety.
  • Energy infrastructure operators and private cloud service providersOperators of energy systems (e.g., utilities, power plants, transmission companies) may be required to share sensitive security and resilience information with the state, which must then be protected from public release.
  • School districts and local governmentsSchool districts and local governments must keep specific security plans (e.g., safe school plans, emergency response plans) confidential to avoid exposing vulnerabilities to potential threats.
  • General public and news mediaThe general public may have less access to certain security-related records about energy systems, schools, and correctional facilities, even if the information was previously available under public records law.
Effective: July 28, 2025
Model: Intel/Qwen3-Coder-Next-int4-AutoRoundGenerated: Mar 19, 2026 at 7:08 PM

Pro/Con Analysis

Stronger case for benefits

Potential Benefits (5)
  • The bill adds a targeted exemption for highly specific, actionable intelligence about attacks or compromises on critical energy infrastructure — such as real-time vulnerability details or emergency response protocols — which, if disclosed, could aid malicious actors in planning disruptions. This reduces the risk of copycat attacks or exploitation of known weaknesses, thereby protecting grid resilience and public safety.

    Public SafetyRef: RCW 42.56.420(7)(a) and (b)(ii)(A)(I)
  • The bill expands existing exemptions for security plans in schools, correctional facilities, and IT systems, aligning Washington’s approach with federal standards (e.g., DHS and CISA guidance). This helps prevent adversaries from using publicly available records to identify weaknesses in critical facilities, supporting coordinated national security planning and reducing the risk of targeted attacks.

    Public SafetyRef: RCW 42.56.420(2), (3), (4), (5), (6)
  • By centralizing and protecting sensitive energy infrastructure data under the State Energy Resilience and Emergency Management Office, the bill enables more effective interagency coordination during emergencies — such as cyberattacks on the grid or physical sabotage — without fear of compromising operational plans through premature disclosure.

    Public SafetyRef: RCW 42.56.420(7)(a)
  • The explicit exclusion of *general locations* and *publicly available facts* from the exemption provides a safeguard against overbreadth — ensuring that basic infrastructure maps, utility service areas, and publicly filed permits remain accessible, preserving baseline transparency for journalists, researchers, and residents.

    Public SafetyRef: RCW 42.56.420(7)(b)(ii)(B)
  • The bill may reduce legal and operational risk for private energy operators (e.g., Puget Sound Energy, Avista) by protecting shared vulnerability assessments and resilience plans from compelled disclosure, encouraging more robust participation in state-led resilience initiatives without fear of competitive harm or reputational exposure.

    Business & EmploymentRef: RCW 42.56.420(7)(a)
Potential Concerns (5)
  • The bill creates a new, broad exemption for “critical energy infrastructure information,” including data about actual or potential attacks, compromises, or disruptions — but excludes only *general locations* and *publicly available facts*. This leaves significant room for overclassification: agencies could treat as exempt information that is not truly sensitive (e.g., generic vulnerability categories, non-specific threat assessments), reducing transparency around energy system resilience without clear public safety justification.

    Public SafetyRef: RCW 42.56.420(7)(a) and (b)(ii)(A)
  • The definition of “critical energy infrastructure information” excludes only information that *simply gives the general location* or *relays publicly available facts* — but does not require agencies to distinguish between generic and highly specific data. This ambiguity could allow agencies to withhold information that is already publicly known (e.g., via utility filings, FERC maps, or news reports), eroding public oversight under the guise of security.

    Public SafetyRef: RCW 42.56.420(7)(b)(ii)(B)
  • The bill creates a new administrative burden on state and local agencies to determine whether information qualifies as “critical energy infrastructure information” and to redact accordingly — but provides no funding or guidance on implementation. This increases compliance risk and operational complexity for smaller agencies without technical or legal resources.

    Local GovernmentRef: RCW 42.56.420(7)(a)
  • By expanding exemptions for security-related information across energy, schools, and correctional facilities, the bill reduces public access to information that could reveal systemic risks or government failures — especially concerning energy grid reliability, which directly affects public safety and economic stability. This weakens democratic accountability and the public’s ability to assess whether infrastructure investments and emergency planning are adequate.

    Rights & LibertiesPeopleRef: RCW 42.56.420(7)(a) and (b)
  • The exemption for “critical energy infrastructure information” applies to information that *threatens to disrupt or diminish the supply of energy to the extent that public health, safety, and general welfare may be jeopardized* — a highly subjective and low-threshold standard. This could be used to shield private utility operations from scrutiny, even when utilities have a history of safety violations or grid mismanagement, reducing market transparency and accountability.

    Business & EmploymentRef: RCW 42.56.420(7)(b)(ii)(A)(III)

Who Is Most Affected

State and local government agenciesMixed Impact

State and local agencies (e.g., Department of Commerce, emergency management offices) face increased responsibility to classify and protect sensitive information, with no added funding. While this improves interagency coordination during crises, it also increases compliance burden and risk of over-redaction, potentially limiting public access to legitimate information.

Energy infrastructure operators and private cloud service providersMixed Impact

Energy infrastructure operators (e.g., utilities, power plants) gain legal protection for shared security data, encouraging participation in state resilience programs. However, they may also face reputational risk if their vulnerability assessments are later leaked or if the public perceives the state as shielding them from accountability.

School districts and local governmentsMixed Impact

School districts gain legal cover to keep safe school plans confidential, reducing the risk of copycat threats or targeting. But this may also prevent communities from evaluating whether schools are adequately prepared for emergencies, especially in districts with known infrastructure vulnerabilities.

General public and news mediaNegative Impact

The general public loses access to certain security-related records, especially those involving energy grid vulnerabilities or emergency response plans. While this protects against exploitation by bad actors, it also reduces transparency around critical infrastructure resilience — a public good that affects all residents’ safety and economic stability.

Private cloud service providersPositive Impact

Private cloud service providers benefit from protections for employee PII and system security data under federal CJIS agreements, reducing liability and compliance risk. However, this also means less public oversight of how third-party vendors handle sensitive government data.