BILL ANALYSIS �Ó
Senate Appropriations Committee Fiscal Summary
Senator Kevin de León, Chair
AB 2200 (J. Pérez) - California Cyber Security Commission.
Amended: August 4, 2014 Policy Vote: GO 8-1
Urgency: No Mandate: No
Hearing Date: August 11, 2014
Consultant: Brendan McCarthy
This bill meets the criteria for referral to the Suspense File.
Bill Summary: AB 2200 would create the California Cyber Security
Commission within the Governor's Office of Emergency Services
and require the Commission to take specified actions.
Fiscal Impact:
Ongoing costs of at least $1 million per year to provide
staff support to the Commission and to undertake the
programmatic responsibilities assigned to the Commission
(General Fund).
Potential costs in the low millions to provide additional
training on cyber security issues to specified state
employees (General Fund).
Background: Under current law, the Office of Information
Security within the Department of Technology is responsible for
ensuring the confidentiality and integrity of state data
systems. The Office of Information Security is required to
establish policies, standards, and procedures for state agencies
to manage security and risk.
Proposed Law: AB 2200 would create the California Cyber Security
Commission within the Governor's Office of Emergency Services
and require the Commission to take specified actions.
Specific provisions of the bill would:
Establish the Commission within the Governor's Office of
Emergency Services;
Specify the membership of the Commission, to include
certain state agency heads, representatives of specified
industries and groups, and legislative appointees;
Authorize the Commission to appoint an advisory board, with
�
AB 2200 (J. Perez)
Page 1
specified members;
Require the Commission to develop cyber defense strategies,
including performing risk assessments on state information
technology systems and coordinating efforts to reduce risks
to state systems;
Require the Commission to partner with the federal
Department of Homeland Security to develop an information
sharing system for cyber threat and response information;
Require the Commission to provide recommendations on cyber
security standards for state agencies;
Require the Commission to compile research on cyber
security threats to state agencies;
Require the Commission to facilitate public-private
partnerships on cyber security issues;
Require the Commission to develop and provide training to
state employees on cyber security issues;
Require the Commission to analyze issues relating to
insurance coverage for state agencies to insure against
costs relating to cyber security risks;
Require the Commission to collaborate with law enforcement
agencies;
Require the Commission to propose improvements to the
state's ability to assess and respond to cyber security
threats;
Require the Commission to coordinate the pursuit of federal
funds for cyber security;
The bill includes a sunset date of January 1, 2019.
Related Legislation: AB 1620 (Rodriguez) would establish the
California Emergency Management and Disaster Preparedness
Commission and give the Commission specified duties relating to
disaster preparedness. That bill will be heard in this
committee.
Staff Comments: The Commission created by the bill would have
responsibilities to advise the state and coordinate activities
by various state agencies and outside entities. In addition, the
Commission would have direct programmatic responsibilities (such
as developing training programs for state employees) that are
typically assigned to state departments rather than an
interagency commission.
The bill requires the Commission to operate within the
�
AB 2200 (J. Perez)
Page 2
information technology budget of each department served. Given
the significant programmatic responsibilities that the bill
assigns to the Commission, it does not seem likely that other
state agencies would be able to absorb the costs to support the
Commission.
In recent years, the federal government has made a significant
amount of grant funding available to the states for programs and
projects relating to cyber security. It is not known the extent
to which some of the requirements of this bill could be funded
with existing or new federal grant funds.