Skip to main content

SB 5582

In Committee

Senate

Critical energy infra./PRA

Concerning the disclosure of critical energy infrastructure information.

This status may be delayed. See Action History below for the latest updates.

How does a bill become law?
  1. Introduced: The bill is filed and assigned a number.
  2. Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
  3. Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
  4. Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
  5. Governor: The Governor reviews the bill and decides whether to sign or veto it.
  6. Signed: The bill has been signed into law.
Introduced: January 29, 2025
Last Action: January 12, 2026
Status: S State Gov/Trib
Companion Bill:

AI Analysis

This analysis was generated by AI and may contain errors. It is not legal advice. Always refer to the official bill text for authoritative information.
People & CommunitiesBalancedCorporate & Wealthy Interests

This bill adds a new public records exemption for sensitive information about critical energy infrastructure, including threat assessments and security plans, to protect against potential attacks or disruptions. It also expands existing exemptions for security-related records at correctional facilities, schools, and IT systems.

  • Adds a new exemption under the Public Records Act (PRA) for critical energy infrastructure information collected to support the State Energy Resilience and Emergency Management Office.
  • Defines 'critical energy infrastructure' as physical or virtual systems whose failure could disrupt energy supply and threaten public health, safety, or welfare.
  • Defines 'critical energy infrastructure information' as non-public, specific details about threats, attacks, or vulnerabilities — not general location data or publicly available information.
  • Expands existing PRA exemptions to include security plans and vulnerability assessments for correctional facilities, schools, and IT/network systems.
  • Clarifies exemptions for security-related information held by private cloud service providers with federal Criminal Justice Information Services (CJIS) agreements.

Who is affected

  • State and local government agencies (e.g., Department of Commerce, Department of Energy, emergency management offices)State, county, and local government agencies responsible for energy infrastructure planning and emergency response may need to adjust how they collect, store, and share sensitive security-related information.
  • Private energy infrastructure providers and operatorsPrivate energy companies and infrastructure operators may be required to share sensitive security information with the state, but with protections against public disclosure.
  • General public and news mediaThe public may have less access to certain details about energy infrastructure security, potentially limiting transparency around how the state protects critical systems.
  • Employees of private cloud service providers with CJIS agreementsEmployees of private cloud service providers who handle criminal justice information may benefit from clearer protections for their personally identifiable information.
Effective: July 28, 2025Fiscal impact: No significant fiscal impact identified; the bill primarily clarifies existing exemptions under the Public Records Act and does not create new programs or staffing requirements.
Model: Intel/Qwen3-Coder-Next-int4-AutoRoundGenerated: Mar 19, 2026 at 9:05 PM

Pro/Con Analysis

Potential Benefits (5)
  • By exempting specific threat and vulnerability data from disclosure, the bill helps prevent adversaries from using publicly available information to plan attacks on energy infrastructure—reducing the risk of coordinated blackouts, cyberattacks, or physical sabotage that could endanger lives and disrupt essential services for millions.

    Public SafetyPeopleRef: Sec. 1(7)(a) and (b)(ii)(A)
  • Expanding existing exemptions for correctional facilities, schools, and IT systems strengthens protections for sensitive security plans, reducing the risk that malicious actors could exploit publicly available operational details—particularly important for schools and juvenile facilities where threats to children require heightened confidentiality.

    Public SafetyPeopleRef: Sec. 1(2), (3), (4), (5), (6)
  • The explicit carve-out for “general location” and “publicly available information” allows agencies to share non-sensitive, high-level infrastructure data (e.g., regional grid topology, non-specific facility types) to support emergency planning and public awareness—balancing transparency with security.

    Public SafetyPeopleRef: Sec. 1(7)(b)(ii)(B)
  • Clarifying exemptions for personally identifiable information (PII) of cloud service provider employees helps protect individuals from potential retaliation or targeting if their roles in managing critical infrastructure are disclosed—adding a layer of personal safety for workers in sensitive technical roles.

    Rights & LibertiesLean peopleRef: Sec. 1(6)
  • The bill’s lack of new funding or staffing requirements means local agencies won’t face immediate budgetary strain from implementation—though this also means they may lack resources to fully comply with the new exemption standards, potentially leading to inconsistent or legally risky redaction practices.

    Local GovernmentLean peopleRef: Fiscal Impact section
Potential Concerns (5)
  • The bill creates a broad new exemption for “critical energy infrastructure information,” including data on actual, potential, or threatened attacks, which could prevent public oversight of how the state protects or fails to protect energy systems—potentially hiding failures or mismanagement that affect public safety and environmental risk. This reduces transparency around critical infrastructure that directly impacts daily life (e.g., blackouts, gas shortages, cyberattacks), undermining democratic accountability.

    Rights & LibertiesIndustryRef: Sec. 1(7)(a) and (b)(ii)(A)
  • The definition of “critical energy infrastructure information” is expansive and includes data on *threatened* attacks—not just actual ones—meaning even speculative or unverified threat assessments could be withheld. This overbreadth risks shielding internal government errors, misjudgments, or inadequate preparedness from public scrutiny, potentially increasing long-term public safety risks.

    Public SafetyIndustryRef: Sec. 1(7)(b)(ii)(A) and (ii)(B)
  • While the bill includes private energy infrastructure operators in the scope of entities whose information may be exempted, the primary beneficiaries are large, investor-owned utilities and energy conglomerates—many of which already have robust security and legal teams—whereas small, community-based energy cooperatives or rural utilities may lack resources to navigate the new exemption process, creating an uneven burden.

    Business & EmploymentIndustryRef: Sec. 1(7)(a)
  • The exclusion of “general location data” and “publicly available information” creates ambiguity: what counts as “general” vs. “specific and unique”? This could lead to inconsistent application across agencies, with some over-redacting useful information (e.g., grid resilience maps) and others under-redacting sensitive details—potentially confusing emergency responders and the public alike.

    Public SafetyLean industryRef: Sec. 1(7)(b)(ii)(B)
  • Local governments and utilities may be required to submit sensitive infrastructure data to the state without clear guidance on how to redact or classify it, increasing administrative burden and legal risk—especially for smaller jurisdictions lacking legal or cybersecurity staff—while gaining no new authority to independently assess or respond to threats.

    Local GovernmentLean industryRef: Sec. 1(7)(a)

Who Is Most Affected

Large investor-owned utilitiesPositive Impact

Large investor-owned utilities (e.g., PSE, Avista) benefit most from the new exemption, as they operate complex, high-value infrastructure and have the legal resources to engage with state security programs; they face minimal risk from non-disclosure and gain protection for proprietary vulnerability assessments.

Small and municipal utilities/local governmentsMixed Impact

Local governments and small utilities (e.g., municipal electric departments, rural cooperatives) face increased compliance burden without added authority or resources; they may over-redact or under-redact due to ambiguous definitions, exposing them to legal or security risks.

Private cloud service providers (CJIS partners)Positive Impact

Private cloud providers with CJIS agreements gain legal clarity and protection for employee PII, but may face new obligations to coordinate with state agencies on redaction—though they are unlikely to be primary targets of attacks, their role is ancillary.

General public and news mediaNegative Impact

The public and news media lose access to specific threat and vulnerability data, limiting their ability to scrutinize the state’s energy resilience planning—especially concerning environmental risks (e.g., dam failures, pipeline leaks) where transparency is critical for community preparedness.

Emergency management and public health agenciesMixed Impact

Emergency responders and public health agencies may benefit from more secure internal coordination, but could be hindered if over-redaction prevents sharing of non-sensitive operational context with frontline personnel during crises.

Sponsors

Senator Boehnke(Republican)District 8Primary
Senator Dozier(Republican)District 16Secondary
Senator Hasegawa(Democrat)District 11Secondary
Senator Nobles(Democrat)District 28Secondary