BILL ANALYSIS SENATE JUDICIARY COMMITTEE Senator Ellen M. Corbett, Chair 2009-2010 Regular Session AB 2091 (Conway) As Amended June 14, 2010 Hearing Date: June 22, 2010 Fiscal: No Urgency: No TW:jd SUBJECT Public Records: Information Security DESCRIPTION This bill, sponsored by the Office of the Chief State Information Officer (OCSIO), would exempt from disclosure under the California Public Records Act information security records that would reveal vulnerabilities of an information technology system or increase the potential for cyber attacks. BACKGROUND The California Public Records Act (CPRA) was enacted in 1968 to provide California citizens access to state and local agency records. (AB 1381 (Bagley, Ch. 1473, Stats. 1968).) Under the CPRA, state and local agencies are required, subject to specified exemptions, to provide copies of disclosable public records in the possession of the agency. In 2006, the Legislature enacted the Technology Information Act of 2005, which established the OCSIO. (SB 834 (Figueroa, Ch. 533, Stats. 2006).) The OCSIO is charged with the supervision of California's information technology resources. In 2007, the duties of the OCSIO were expanded to include, among other things, establishing and enforcing state information technology strategic plans, policies, and standards, and preparation of an annual information technology report to assess and measure the state's progress toward enhancing information technology. (SB 90 (Committee on Budget and Fiscal Review, Ch. 183, Stats. 2007).) (more) AB 2091 (Conway) Page 2 of ? Pursuant to its reporting requirements, the OCSIO issued the first Information Security Strategic Plan in October 2009. To create statewide policies and procedures the office must compile numerous types of technical documents that reveal sensitive information about the California's IT infrastructure. This bill would exempt documents pertaining to information security, as specified, from disclosure under the CPRA. CHANGES TO EXISTING LAW Existing law , the CPRA, requires state and local agencies to make public records available upon receipt of a request that reasonably describes an identifiable record not otherwise exempt from disclosure. (Gov. Code Sec. 6253.) Existing law defines a state agency as every state office, officer, department, division, bureau, board, and commission or other state body or agency, except those agencies provided for in Article IV (except Section 20 thereof) or Article VI of the California Constitution. (Gov. Code Sec. 6252(f).) Existing law exempts from public disclosure records of intelligence information or security procedures of various state agencies, as specified. (Gov. Code Sec. 6254(f).) Existing law exempts from public disclosure documents prepared by or for a state or local agency that assess vulnerability to terrorist attack or other criminal acts intended to disrupt that public agency's operations. (Gov. Code Sec. 6254(aa).) Existing law entrusts the Office of the State Chief Information Officer (OSCIO) with the task of establishing and enforcing state information technology strategic plans, policies, standards, and enterprise architecture. (Gov. Code Sec. 11545(b)(6).) Existing law requires the OSCIO to prepare an annual information technology strategic plan that shall guide the acquisition, management, and use of information technology. (Gov. Code Sec. 11545(c).) This bill would exempt from the CPRA the disclosure of information security records that would reveal vulnerabilities of an information technology system or increase the potential for cyber attacks. AB 2091 (Conway) Page 3 of ? COMMENT 1. Stated need for the bill The author writes: The Office of the State Chief Information Officer [OSCIO] recently released the first ever CA Information Security Strategic Plan. As the office continues to provide strategic direction to the state's departments and agencies, detailed documentation of the CA system's infrastructure will be compiled and reviewed at [OSCIO]. Currently, the Office of Information Security (within the [OSCIO]) uses the "balance" test in order to redact the majority of these documents when there is a Public Information Request. This process requires a great deal of staff time and usually results in the public release of partial records that are deemed un-useable by the requestor. California Government Code Section 6254(aa) already allows for "a document prepared by or for a state or local agency that assesses its vulnerability to terrorist attack or other criminal acts intended to disrupt the public agency's operations" to be exempted from public disclosure. AB 2091 intends to clearly codify information security documents as exempt for the same reasons. California State Association of Counties argues in support of the bill as follows: [T]he [C]PRA expressly exempts certain types of records from disclosure. Exemptions previously granted involve sensitive documents such as those including confidential medical information and assessments of a public agency's physical security threats. AB 2091 would establish Government Code Section 6254.19 making specified information security documents and information exempt from required disclosure. Counties believe this narrow exemption makes sense. Public entities' reliance on information technology to manage its operations and work efficiently is, obviously, very extensive. Public agencies' ability to make use of technological advances and tools should not be hindered by fears that they could be required to turn over sensitive information[,] AB 2091 (Conway) Page 4 of ? security documentation or files. AB 2091 would merely build upon previously approved exemptions in the [C]PRA where a compelling argument can be made that the public benefit of keeping certain matters confidential exceeds the benefit of disclosing that information. Divulging specific information about local and/or state agencies' information systems - such as those items covered by the bill (security plans, risk assessments, incident reports, audits, and disaster recovery plans) - presents far too many risks. Unfortunately, the growth of information technology also brings with it increased opportunities for hacking and other illegal activities. AB 2091 would simply create a narrow exception within the [C]PRA, which would provide public agencies with needed protection from the risk of security breaches and nefarious use of sensitive information. 2. Creating a disclosure exemption for information security documents This bill would exempt certain information security documents from disclosure under the CPRA. The OSCIO is an interested party with respect to the exemption of information security documents. The OSCIO was organized under Government Code Section 11545(b)(6) and therefore qualifies as a state agency as defined under the CPRA (Gov. Code Sec. 6252(f)). State agencies are subject to public disclosure requirements contained in the CPRA. Last year, the OSCIO, while preparing the Information Security Strategic Plan, recognized the need for exemption from disclosure of certain information security documents. The Information Security Strategic Plan compiled highly sensitive information regarding California's technology infrastructure. The sponsor states that the necessity to centrally retain sensitive information security documents led the OCSIO to request a Public Records Act exemption for those records that would reveal vulnerabilities in the state's information technology infrastructure. The CPRA was enacted to provide public access to state and local agency information. Various exemptions to disclosure required under the CPRA have been crafted, including an exemption for state and local intelligence and security information maintained by state and local police. (Gov. Code Sec. 6254(f).) This type of exemption was created in order to protect public safety. State and local police compile and maintain sensitive intelligence and security information that, if disclosed, could AB 2091 (Conway) Page 5 of ? be misused and harm the public. However, the exemptions provided under Government Code Section 6254(f) do not extend to the OSCIO because it is not a police agency. The OSCIO compiles and maintains technology security information, the disclosure of which could be misused to effectuate cyber attacks on California's technology infrastructure. This bill would exempt from public disclosure information security records that would reveal vulnerabilities of an information technology system and information that could increase the potential for cyber attacks. 3. Narrowing the information security documents disclosure exemption This bill, as introduced, would have exempted from disclosure under the CPRA information security plans, risk assessments, audit and evaluation reports, incident reports, disaster recover plans, and records relating to the information security program established pursuant to Government Code Section 11549.3. The California Newspaper Publishers Association (CNPA) argued that these provisions were too broad. CNPA detailed its argument in an opposition letter as follows: CNPA recognizes the need of the [O]CSIO to protect from public disclosure the bona fide plans or procedures necessary to protect government databases and computer systems from cyber attacks. The half-dozen categories of information described in AB 2091, though, would make secret general governmental activities and expenditures associated with the security of public computers and would prevent the public from monitoring the health of the state's information technology, and, more importantly, the performance of the public officials and employees charged with protecting it. . . . CNPA does not dispute that certain information created, gathered or maintained by the Office of the Chief State Information Officer might properly be exempted from public disclosure. Instead of creating broad categories of exemptions, applicable to every state and local agency, we believe your bill would benefit by deleting its contents and instead creating a single provision for the [O]CSIO that would look at the character and content of the record to determine its status, either by disclosable or exempt, based on the public interest. AB 2091 (Conway) Page 6 of ? To resolve the concern raised by CNPA, the bill was amended to narrow the disclosure exemption to information security records that would reveal vulnerabilities of an information technology system or increase the potential for cyber attacks. However, an additional amendment is necessary to clarify that the exemption should only be applied based on the facts of each case. The proposed amendment comes from existing law, Government Code Section 6255. CNPA indicates that this suggested amendment would remove their opposition. The committee should amend this bill as follows: Suggested Amendment : On page 13, at line 35 after "if" add ", on the facts of the particular case,". Support : California State Association of Counties; Desert Water Agency; East Valley Water District; El Dorado Irrigation District Opposition : California Newspaper Publishers Association HISTORY Source : Office of the State Chief Information Officer Related Pending Legislation : None Known Prior Legislation : See Background. Prior Vote : Assembly Governmental Organization Committee (Ayes 19, Noes 0) Assembly Floor (Ayes 76, Noes 0) **************