BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2009-2010 Regular Session
AB 2091 (Conway)
As Amended June 14, 2010
Hearing Date: June 22, 2010
Fiscal: No
Urgency: No
TW:jd
SUBJECT
Public Records: Information Security
DESCRIPTION
This bill, sponsored by the Office of the Chief State
Information Officer (OCSIO), would exempt from disclosure under
the California Public Records Act information security records
that would reveal vulnerabilities of an information technology
system or increase the potential for cyber attacks.
BACKGROUND
The California Public Records Act (CPRA) was enacted in 1968 to
provide California citizens access to state and local agency
records. (AB 1381 (Bagley, Ch. 1473, Stats. 1968).) Under the
CPRA, state and local agencies are required, subject to
specified exemptions, to provide copies of disclosable public
records in the possession of the agency.
In 2006, the Legislature enacted the Technology Information Act
of 2005, which established the OCSIO. (SB 834 (Figueroa, Ch.
533, Stats. 2006).) The OCSIO is charged with the supervision
of California's information technology resources. In 2007, the
duties of the OCSIO were expanded to include, among other
things, establishing and enforcing state information technology
strategic plans, policies, and standards, and preparation of an
annual information technology report to assess and measure the
state's progress toward enhancing information technology. (SB
90 (Committee on Budget and Fiscal Review, Ch. 183, Stats.
2007).)
(more)
�
AB 2091 (Conway)
Page 2 of ?
Pursuant to its reporting requirements, the OCSIO issued the
first Information Security Strategic Plan in October 2009. To
create statewide policies and procedures the office must compile
numerous types of technical documents that reveal sensitive
information about the California's IT infrastructure.
This bill would exempt documents pertaining to information
security, as specified, from disclosure under the CPRA.
CHANGES TO EXISTING LAW
Existing law , the CPRA, requires state and local agencies to
make public records available upon receipt of a request that
reasonably describes an identifiable record not otherwise exempt
from disclosure. (Gov. Code Sec. 6253.)
Existing law defines a state agency as every state office,
officer, department, division, bureau, board, and commission or
other state body or agency, except those agencies provided for
in Article IV (except Section 20 thereof) or Article VI of the
California Constitution. (Gov. Code Sec. 6252(f).)
Existing law exempts from public disclosure records of
intelligence information or security procedures of various state
agencies, as specified. (Gov. Code Sec. 6254(f).)
Existing law exempts from public disclosure documents prepared
by or for a state or local agency that assess vulnerability to
terrorist attack or other criminal acts intended to disrupt that
public agency's operations. (Gov. Code Sec. 6254(aa).)
Existing law entrusts the Office of the State Chief Information
Officer (OSCIO) with the task of establishing and enforcing
state information technology strategic plans, policies,
standards, and enterprise architecture. (Gov. Code Sec.
11545(b)(6).)
Existing law requires the OSCIO to prepare an annual information
technology strategic plan that shall guide the acquisition,
management, and use of information technology. (Gov. Code Sec.
11545(c).)
This bill would exempt from the CPRA the disclosure of
information security records that would reveal vulnerabilities
of an information technology system or increase the potential
for cyber attacks.
�
AB 2091 (Conway)
Page 3 of ?
COMMENT
1. Stated need for the bill
The author writes:
The Office of the State Chief Information Officer [OSCIO]
recently released the first ever CA Information Security
Strategic Plan. As the office continues to provide strategic
direction to the state's departments and agencies, detailed
documentation of the CA system's infrastructure will be
compiled and reviewed at [OSCIO].
Currently, the Office of Information Security (within the
[OSCIO]) uses the "balance" test in order to redact the
majority of these documents when there is a Public Information
Request. This process requires a great deal of staff time and
usually results in the public release of partial records that
are deemed un-useable by the requestor.
California Government Code Section 6254(aa) already allows for
"a document prepared by or for a state or local agency that
assesses its vulnerability to terrorist attack or other
criminal acts intended to disrupt the public agency's
operations" to be exempted from public disclosure. AB 2091
intends to clearly codify information security documents as
exempt for the same reasons.
California State Association of Counties argues in support of
the bill as follows:
[T]he [C]PRA expressly exempts certain types of records from
disclosure. Exemptions previously granted involve sensitive
documents such as those including confidential medical
information and assessments of a public agency's physical
security threats. AB 2091 would establish Government Code
Section 6254.19 making specified information security
documents and information exempt from required disclosure.
Counties believe this narrow exemption makes sense. Public
entities' reliance on information technology to manage its
operations and work efficiently is, obviously, very extensive.
Public agencies' ability to make use of technological
advances and tools should not be hindered by fears that they
could be required to turn over sensitive information[,]
�
AB 2091 (Conway)
Page 4 of ?
security documentation or files. AB 2091 would merely build
upon previously approved exemptions in the [C]PRA where a
compelling argument can be made that the public benefit of
keeping certain matters confidential exceeds the benefit of
disclosing that information. Divulging specific information
about local and/or state agencies' information systems - such
as those items covered by the bill (security plans, risk
assessments, incident reports, audits, and disaster recovery
plans) - presents far too many risks. Unfortunately, the
growth of information technology also brings with it increased
opportunities for hacking and other illegal activities. AB
2091 would simply create a narrow exception within the [C]PRA,
which would provide public agencies with needed protection
from the risk of security breaches and nefarious use of
sensitive information.
2. Creating a disclosure exemption for information security
documents
This bill would exempt certain information security documents
from disclosure under the CPRA. The OSCIO is an interested
party with respect to the exemption of information security
documents. The OSCIO was organized under Government Code
Section 11545(b)(6) and therefore qualifies as a state agency as
defined under the CPRA (Gov. Code Sec. 6252(f)). State agencies
are subject to public disclosure requirements contained in the
CPRA.
Last year, the OSCIO, while preparing the Information Security
Strategic Plan, recognized the need for exemption from
disclosure of certain information security documents. The
Information Security Strategic Plan compiled highly sensitive
information regarding California's technology infrastructure.
The sponsor states that the necessity to centrally retain
sensitive information security documents led the OCSIO to
request a Public Records Act exemption for those records that
would reveal vulnerabilities in the state's information
technology infrastructure.
The CPRA was enacted to provide public access to state and local
agency information. Various exemptions to disclosure required
under the CPRA have been crafted, including an exemption for
state and local intelligence and security information maintained
by state and local police. (Gov. Code Sec. 6254(f).) This type
of exemption was created in order to protect public safety.
State and local police compile and maintain sensitive
intelligence and security information that, if disclosed, could
�
AB 2091 (Conway)
Page 5 of ?
be misused and harm the public. However, the exemptions
provided under Government Code Section 6254(f) do not extend to
the OSCIO because it is not a police agency.
The OSCIO compiles and maintains technology security
information, the disclosure of which could be misused to
effectuate cyber attacks on California's technology
infrastructure. This bill would exempt from public disclosure
information security records that would reveal vulnerabilities
of an information technology system and information that could
increase the potential for cyber attacks.
3. Narrowing the information security documents disclosure
exemption
This bill, as introduced, would have exempted from disclosure
under the CPRA information security plans, risk assessments,
audit and evaluation reports, incident reports, disaster recover
plans, and records relating to the information security program
established pursuant to Government Code Section 11549.3. The
California Newspaper Publishers Association (CNPA) argued that
these provisions were too broad. CNPA detailed its argument in
an opposition letter as follows:
CNPA recognizes the need of the [O]CSIO to protect from public
disclosure the bona fide plans or procedures necessary to
protect government databases and computer systems from cyber
attacks. The half-dozen categories of information described
in AB 2091, though, would make secret general governmental
activities and expenditures associated with the security of
public computers and would prevent the public from monitoring
the health of the state's information technology, and, more
importantly, the performance of the public officials and
employees charged with protecting it. . . .
CNPA does not dispute that certain information created,
gathered or maintained by the Office of the Chief State
Information Officer might properly be exempted from public
disclosure. Instead of creating broad categories of
exemptions, applicable to every state and local agency, we
believe your bill would benefit by deleting its contents and
instead creating a single provision for the [O]CSIO that would
look at the character and content of the record to determine
its status, either by disclosable or exempt, based on the
public interest.
�
AB 2091 (Conway)
Page 6 of ?
To resolve the concern raised by CNPA, the bill was amended to
narrow the disclosure exemption to information security records
that would reveal vulnerabilities of an information technology
system or increase the potential for cyber attacks. However, an
additional amendment is necessary to clarify that the exemption
should only be applied based on the facts of each case. The
proposed amendment comes from existing law, Government Code
Section 6255. CNPA indicates that this suggested amendment
would remove their opposition. The committee should amend this
bill as follows:
Suggested Amendment :
On page 13, at line 35 after "if" add ", on the facts of the
particular case,".
Support : California State Association of Counties; Desert Water
Agency; East Valley Water District; El Dorado Irrigation
District
Opposition : California Newspaper Publishers Association
HISTORY
Source : Office of the State Chief Information Officer
Related Pending Legislation : None Known
Prior Legislation : See Background.
Prior Vote :
Assembly Governmental Organization Committee (Ayes 19, Noes 0)
Assembly Floor (Ayes 76, Noes 0)
**************