SB 5582
In CommitteeSenate
Critical energy infra./PRA
Concerning the disclosure of critical energy infrastructure information.
This status may be delayed. See Action History below for the latest updates.
How does a bill become law?
- Introduced: The bill is filed and assigned a number.
- Committee: A subject-matter committee holds hearings, takes public testimony, and decides whether to advance the bill.
- Floor Vote: The full chamber (House or Senate) debates and votes on the bill.
- Opposite Chamber: The bill repeats the committee and floor vote process in the other chamber.
- Governor: The Governor reviews the bill and decides whether to sign or veto it.
- Signed: The bill has been signed into law.
AI Analysis
This bill adds a new public records exemption for sensitive information about critical energy infrastructure, including threat assessments and security plans, to protect against potential attacks or disruptions. It also expands existing exemptions for security-related records at correctional facilities, schools, and IT systems.
- Adds a new exemption under the Public Records Act (PRA) for critical energy infrastructure information collected to support the State Energy Resilience and Emergency Management Office.
- Defines 'critical energy infrastructure' as physical or virtual systems whose failure could disrupt energy supply and threaten public health, safety, or welfare.
- Defines 'critical energy infrastructure information' as non-public, specific details about threats, attacks, or vulnerabilities — not general location data or publicly available information.
- Expands existing PRA exemptions to include security plans and vulnerability assessments for correctional facilities, schools, and IT/network systems.
- Clarifies exemptions for security-related information held by private cloud service providers with federal Criminal Justice Information Services (CJIS) agreements.
Who is affected
- State and local government agencies (e.g., Department of Commerce, Department of Energy, emergency management offices) — State, county, and local government agencies responsible for energy infrastructure planning and emergency response may need to adjust how they collect, store, and share sensitive security-related information.
- Private energy infrastructure providers and operators — Private energy companies and infrastructure operators may be required to share sensitive security information with the state, but with protections against public disclosure.
- General public and news media — The public may have less access to certain details about energy infrastructure security, potentially limiting transparency around how the state protects critical systems.
- Employees of private cloud service providers with CJIS agreements — Employees of private cloud service providers who handle criminal justice information may benefit from clearer protections for their personally identifiable information.
Pro/Con Analysis
Potential Benefits (5)
By exempting specific threat and vulnerability data from disclosure, the bill helps prevent adversaries from using publicly available information to plan attacks on energy infrastructure—reducing the risk of coordinated blackouts, cyberattacks, or physical sabotage that could endanger lives and disrupt essential services for millions.
Public SafetyPeopleRef: Sec. 1(7)(a) and (b)(ii)(A)Expanding existing exemptions for correctional facilities, schools, and IT systems strengthens protections for sensitive security plans, reducing the risk that malicious actors could exploit publicly available operational details—particularly important for schools and juvenile facilities where threats to children require heightened confidentiality.
Public SafetyPeopleRef: Sec. 1(2), (3), (4), (5), (6)The explicit carve-out for “general location” and “publicly available information” allows agencies to share non-sensitive, high-level infrastructure data (e.g., regional grid topology, non-specific facility types) to support emergency planning and public awareness—balancing transparency with security.
Public SafetyPeopleRef: Sec. 1(7)(b)(ii)(B)Clarifying exemptions for personally identifiable information (PII) of cloud service provider employees helps protect individuals from potential retaliation or targeting if their roles in managing critical infrastructure are disclosed—adding a layer of personal safety for workers in sensitive technical roles.
Rights & LibertiesLean peopleRef: Sec. 1(6)The bill’s lack of new funding or staffing requirements means local agencies won’t face immediate budgetary strain from implementation—though this also means they may lack resources to fully comply with the new exemption standards, potentially leading to inconsistent or legally risky redaction practices.
Local GovernmentLean peopleRef: Fiscal Impact section
Potential Concerns (5)
The bill creates a broad new exemption for “critical energy infrastructure information,” including data on actual, potential, or threatened attacks, which could prevent public oversight of how the state protects or fails to protect energy systems—potentially hiding failures or mismanagement that affect public safety and environmental risk. This reduces transparency around critical infrastructure that directly impacts daily life (e.g., blackouts, gas shortages, cyberattacks), undermining democratic accountability.
Rights & LibertiesIndustryRef: Sec. 1(7)(a) and (b)(ii)(A)The definition of “critical energy infrastructure information” is expansive and includes data on *threatened* attacks—not just actual ones—meaning even speculative or unverified threat assessments could be withheld. This overbreadth risks shielding internal government errors, misjudgments, or inadequate preparedness from public scrutiny, potentially increasing long-term public safety risks.
Public SafetyIndustryRef: Sec. 1(7)(b)(ii)(A) and (ii)(B)While the bill includes private energy infrastructure operators in the scope of entities whose information may be exempted, the primary beneficiaries are large, investor-owned utilities and energy conglomerates—many of which already have robust security and legal teams—whereas small, community-based energy cooperatives or rural utilities may lack resources to navigate the new exemption process, creating an uneven burden.
Business & EmploymentIndustryRef: Sec. 1(7)(a)The exclusion of “general location data” and “publicly available information” creates ambiguity: what counts as “general” vs. “specific and unique”? This could lead to inconsistent application across agencies, with some over-redacting useful information (e.g., grid resilience maps) and others under-redacting sensitive details—potentially confusing emergency responders and the public alike.
Public SafetyLean industryRef: Sec. 1(7)(b)(ii)(B)Local governments and utilities may be required to submit sensitive infrastructure data to the state without clear guidance on how to redact or classify it, increasing administrative burden and legal risk—especially for smaller jurisdictions lacking legal or cybersecurity staff—while gaining no new authority to independently assess or respond to threats.
Local GovernmentLean industryRef: Sec. 1(7)(a)
Who Is Most Affected
Large investor-owned utilities (e.g., PSE, Avista) benefit most from the new exemption, as they operate complex, high-value infrastructure and have the legal resources to engage with state security programs; they face minimal risk from non-disclosure and gain protection for proprietary vulnerability assessments.
Local governments and small utilities (e.g., municipal electric departments, rural cooperatives) face increased compliance burden without added authority or resources; they may over-redact or under-redact due to ambiguous definitions, exposing them to legal or security risks.
Private cloud providers with CJIS agreements gain legal clarity and protection for employee PII, but may face new obligations to coordinate with state agencies on redaction—though they are unlikely to be primary targets of attacks, their role is ancillary.
The public and news media lose access to specific threat and vulnerability data, limiting their ability to scrutinize the state’s energy resilience planning—especially concerning environmental risks (e.g., dam failures, pipeline leaks) where transparency is critical for community preparedness.
Emergency responders and public health agencies may benefit from more secure internal coordination, but could be hindered if over-redaction prevents sharing of non-sensitive operational context with frontline personnel during crises.