BILL ANALYSIS AB 2091 Page 1 CONCURRENCE IN SENATE AMENDMENTS AB 2091 (Conway) As Amended June 29, 2010 Majority vote ----------------------------------------------------------------- |ASSEMBLY: |76-0 |(May 13, 2010) |SENATE: |34-0 |(August 2, | | | | | | |2010) | ----------------------------------------------------------------- Original Committee Reference: G.O. SUMMARY : Exempts from disclosure under the California Public Records Act (CPRA) information security records that would reveal vulnerabilities of an information technology system or increase the potential for cyber attacks. The Senate amendments make technical and clarifying changes. EXISTING LAW : 1)Requires, under CPRA, state and local agencies to make public records available upon receipt of a request that reasonably describes an identifiable record not otherwise exempt from disclosure. 2)Defines a state agency as every state office, officer, department, division, bureau, board, and commission or other state body or agency, except those agencies provided for in Article IV (except Section 20 thereof) or Article VI of the California Constitution. 3)Exempts from public disclosure records of intelligence information or security procedures of various state agencies, as specified. 4)Exempts from public disclosure documents prepared by or for a state or local agency that assess vulnerability to terrorist attack or other criminal acts intended to disrupt that public agency's operations. 5)Entrusts the Office of the State Chief Information Officer (OCIO) with the task of establishing and enforcing state information technology strategic plans, policies, standards, and enterprise architecture. AB 2091 Page 2 6)Requires the OCIO to prepare an annual information technology strategic plan that shall guide the acquisition, management, and use of information technology. AS PASSED BY THE ASSEMBLY , this bill exempts the information security reports of a state agency from the CPRA. FISCAL EFFECT : This bill is keyed non-fiscal. COMMENTS : This bill is intended to provide a specific exemption from disclosure under the CPRA to protect California residents from information security breaches. This bill provides that nothing in the CPRA shall be construed to require the disclosure of an information security record of a public agency, if, on the facts of the particular case, disclosure of that record would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency. According to this bill's sponsor, OCIO, nothing in this bill shall be construed to limit public disclosure of records stored within an information technology system of a public agency that are not otherwise exempt from disclosure pursuant to the provisions of the CPRA or any other provision of law. Analysis Prepared by : Rod Brewer / G.O. / (916) 319-2531 FN: 0005595