BILL ANALYSIS �Ó
AB 2200
Page 1
Date of Hearing: April 30, 2014
ASSEMBLY COMMITTEE ON ACCOUNTABILITY AND ADMINISTRATIVE REVIEW
Jim Frazier, Chair
AB 2200 (John A. Pérez) - As Introduced: February 20, 2014
SUBJECT : California Cyber Security Commission.
SUMMARY : Creates the California Cyber Security Commission
(CCSC). Specifically, this bill :
1)Charges the CCSC with improving the state's cyber security and
cyber response capabilities.
2)Requires the CCSC to issue quarterly reports to the Governor
and Legislature that detail the cyber security status and
progress of the state.
3)Specifies who appoints CCSC members and the composition of the
membership.
4)Sets administrative requirements of the CCSC.
5)Sunsets the CCSC on January 1, 2020.
6)Adds Legislative declarations about the importance of
effective cyber security.
EXISTING LAW requires the Office of Information Security (OIS)
to establish a state information security program, create
information security policies, and help state agencies manage
information security.
FISCAL EFFECT : Unknown
COMMENTS : The OIS, within the California Department of
Technology, is the primary state office charged with protecting
state information and ensuring confidentiality, integrity, and
availability of state systems and applications. In short, the
OIS is responsible, along with other agencies, for ensuring the
state's cyber security. However, various other programs and
agencies have roles related to managing the state's cyber
security.
�
AB 2200
Page 2
This bill creates the CCSC to focus on improving the state's
cyber security and cyber response capabilities. Members,
representing the public, private, and academic sectors, would
share information to enable state government to protect and
secure important information, data, intellectual property,
financial networks, and critical infrastructure.
According to the author, this bill "would advance the state's
overall cyber security assessment, preparedness, and response
systems; promote cyber security information sharing and the use
of best practices among the private and public sectors; and
identify funding and research opportunities." The author
explains that different elements of the state's cyber security
are fragmented and the CCSC would help the state form a
coordinated strategy.
This bill requires the CCSC to issue a quarterly report to the
Governor's Office and Legislature about the cyber security
status and progress of the state. The report would include
recommendations to improve the state's cyber security.
The CCSC would be required to meet monthly beginning in January
2015. It specifies that the CCSC will have between 26 and 28
members, and provides that a quorum is 20 members. Twenty-two
members would be authorized to vote and four, or as many as six,
would serve in advisory roles as non-voting members. According
to the author's office, the author might later amend the bill to
decrease the number of members on the CCSC.
Members of the CCSC would include state executives or their
designees, including the Director of Emergency Services,
Adjutant General of the Military Department, Director of
Technology, Chief of the OIS, Commission President of the Public
Utilities Commission, Director of Transportation, Insurance
Commissioner, and State Public Health Officer.
Additionally, the Governor would appoint four information
technology and information security experts with one each from
the University of California, California State University, a
private university in California, and the Lawrence Livermore
National Laboratory or Lawrence Berkeley National Laboratory.
This bill also tasks the Governor with appointing three
representatives with experience in enforcement or prosecution of
cyber crimes with one each from the California Highway Patrol,
Department of Justice, and Bureau of Investigations or the
�
AB 2200
Page 3
Federal Bureau of Investigations.
Four other representatives from the retail, finance, utilities,
health care, or technology industries with knowledge, expertise,
and experience in information technology and information
security would also be appointed. The Governor would appoint
two and the Speaker of the Assembly (Speaker) and Senate
Committee on Rules (Rules) would each appoint one of these
members.
The CCSC would also have at least four non-voting members. Two
would be members of the Assembly (appointed by the Speaker) and
two would be members of the Senate (appointed by Rules) who are
chairpersons of legislative committees that address information
technology and information security. The CCSC would also be
allowed to include two representatives from the United States
Department of Homeland Security who are experts in information
technology and information security.
This bill would sunset the CCSC on January 1, 2020.
Opposition contend that this bill would conflict with cyber
security work that is being done in the San Diego area.
REGISTERED SUPPORT / OPPOSITION :
Support
Risk Management Society
Opposition
San Diego District Attorney
Analysis Prepared by : Scott Herbstman / A. & A.R. / (916)
319-3600