BILL ANALYSIS �Ó
AB 739
Page 1
Date of Hearing: April 21, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
AB 739
Irwin - As Amended April 16, 2015
SUBJECT: Civil law: liability: communication of cyber
security: threat information
SUMMARY: Provides legal immunity from civil or criminal
liability for private entities that communicate anonymized cyber
security-threat information and meet specified requirements,
until January 1, 2020. Specifically, this bill:
1)Declares that there shall be no civil or criminal liability
for, and no legal cause of action against, a private entity
that communicates cyber security-threat information to another
private entity or a state law enforcement entity in compliance
with the requirements of this bill.
2)Requires that immunity from liability shall only apply if the
communication is made without the intent to injure, defraud,
or to otherwise endanger any individual or public or private
entity, and is made for one of the following purposes:
a) To address a vulnerability of a system, network, or
�
AB 739
Page 2
critical infrastructure component of a public or private
entity;
b) To prevent a threat to the integrity, confidentiality,
or availability of a system, network, or critical
infrastructure component of a public or private entity;
c) To provide support for cyber security crime
investigation;
d) To protect individuals and entities from personal or
economic harm; or
e) To protect the state's economic interests, including,
but not limited to, networks, assets, and personal
information.
3)Prohibits a private entity that communicates cyber
security-threat information from using that information to
gain an unfair competitive advantage, and further requires
that entity to do all of the following in good faith:
a) Make reasonable efforts to safeguard communications that
can be used to identify specific persons from unauthorized
access or acquisition;
b) Comply with any lawful restriction placed on the
�
AB 739
Page 3
communication, including the removal of information that
can be used to identify specific persons;
c) Transfer the cyber security-threat information as
expediently as possible while upholding reasonable
protections; and,
d) Ensure, at a minimum, the appropriate anonymization and
minimization of such information.
1)Defines "cyber security-threat information" as information
pertaining directly to one of the following:
a) A vulnerability of a system, network, or critical
infrastructure component of a public or private entity;
b) A threat to the integrity, confidentiality, or
availability of a system, network, or critical
infrastructure component of a public or private entity;
c) Efforts to deny access to, or to cause the degradation,
disruption, or destruction of a system, network, or
critical infrastructure component of a public or private
entity; and
�
AB 739
Page 4
d) Efforts to gain unauthorized access to a system,
network, or critical infrastructure component of a public
or private entity.
2)Declares that communication of cyber security-threat
information in compliance with these provisions and shared
with a public agency to be exempt from disclosure under the
California Public Records Act.
3)Declares these provisions to become inoperative on January 1,
2020.
4)Makes findings and declarations relative to the limitations
placed on the public's right of access to specified
information, and the state's strong interest in protecting its
information technology (IT) systems from intrusion.
EXISTING LAW:
1)Requires a person or business that owns, licenses, or
maintains personal information about a California resident to
implement and maintain reasonable security procedures and
practices appropriate to the nature of the information, to
protect the personal information from unauthorized access,
destruction, use, modification, or disclosure. (Civil Code
(CC) Section 1798.81.5(b))
2)Requires a person or business conducting business in
California, that owns or licenses computerized data that
includes personal information, as defined, to disclose in
specified ways, a breach of the security of the system or
�
AB 739
Page 5
data, as defined, following discovery or notification of the
security breach, to any California resident whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. (CC 1798.82)
3)Establishes the Department of Technology (CalTech) within the
Government Operations Agency, headed by the Director of
Technology who is also known as the State Chief Information
Officer. CalTech is responsible for the approval and
oversight of IT projects by, among other things, consulting
with agencies during initial project planning to ensure that
project proposals are based on well-defined programmatic
needs. (Government Code (GC) Sections 11545, 12803.2)
4)Requires each state agency to have a chief information officer
who is appointed by the head of the state entity, and is
responsible for supervising all IT, including information
security. (GC 11546.1)
5)Establishes the Office of Information Security (OIS) within
DOT, which is responsible for ensuring the confidentiality,
integrity, and availability of state systems and applications.
The law requires the OIS to develop an information security
program and establish policies, standards, and procedures
directing state agencies to effectively manage security and
risk. (GC 11549, et seq.)
6)Provides, pursuant to the California Public Records Act, for
public access to public agencies' records, and requires that
public records be open to inspection and that every person has
the right to inspect any public record, with some exceptions.
(GC 6250, et seq.)
�
AB 739
Page 6
FISCAL EFFECT: Unknown
COMMENTS:
1)Purpose of this bill . This bill is intended to increase the
sharing of time-sensitive cyber security threat information by
providing legal immunity to private parties who share
anonymized threat information, subject to certain safeguards.
The provisions of this bill would sunset on January 1, 2020.
AB 739 is author-sponsored.
2)Author's statement . According to the author, "This bill will
encourage cybersecurity information sharing by shielding
companies from lawsuits based upon that process of sharing
cybersecurity threat information. The lack of such liability
protection has prevented further development of our
information sharing channels between the private sector and
government, and amongst private companies.
"The financial sector has been sharing information for the
purposes specified in this bill since 1999. In response to
critical incidents, other sectors have launched their own
cyber threat information sharing portals. For example, the
retail sector recently launched the R-CISC to share
cybersecurity threat information between retailers, law
enforcement, the Department of Homeland Security and other
stakeholders.
"Cybersecurity crime accounts for an estimated $400 billion
global economic impact. California is the most targeted state
in the country with 17% of reported attacks or breaches
occurring within the state. Prevention is the best policy and
this bill will provide protection for preventative information
sharing which empowers the private sector to take steps to
protect themselves and mitigate the risk in the larger
economy."
�
AB 739
Page 7
3)California and the cyber security threat. According to the
California Military Department, California's size and
prominence makes it vulnerable to cyber incidents that disrupt
business, shutdown critical infrastructure, and compromise
intellectual property or national security. In 2012, 17
percent of the data breaches recorded in the United States
took place in California - more than any other state; and the
number of reported breaches in California increased by 28
percent in 2013. According to a January 2015 report by the
California Attorney General's Office, 187 breaches were
reported to the California Department of Justice in 2014,
compared to 167 in 2013 and 131 in 2012. CMD calls cybercrime
"a growth industry" causing $400 billion in negative impacts
annually on the global economy.
According to the Identity Theft Resource Center, there were 783
data breaches reported nationwide in 2014 - a 27.5 percent
increase over the previous year. The Privacy Rights
Clearinghouse reports that more than 815 million records have
been compromised in more than 4,489 publicly acknowledged data
breaches since 2005.
4)Existing efforts at threat information sharing . Cyber
security-threat information sharing is based on the idea that
the faster that individual entities share information about
cyber-attacks discovered on their networks, the faster other
entities can prepare more effective defenses - thereby
reducing vulnerability to cyber-attack across the entire
system.
Coordinated information sharing as a defensive tactic is not
new. One well-established example is the creation of the
Information Sharing and Analysis Centers (ISAC) for the
financial services industry by Presidential Decision Directive
63 in 1998. The directive requested the public and private
sector to create a partnership to share information about
physical and cyber threats, vulnerabilities, and events to
�
AB 739
Page 8
help protect the critical infrastructure of the United States.
After analysis by industry experts, alerts are delivered to
participants based on their level of service. Today there are
ISACs for fourteen critical infrastructures, such as financial
services, electric, energy and surface transportation.
Even non-critical infrastructure industries have set up their
own threat information systems. For example, the retail
industry has developed the Retail Cyber Intelligence Sharing
Center which shares threat information between retailers, law
enforcement, the Department of Homeland Security and other
stakeholders.
However, faced with rapid growth in the number and
sophistication of attacks in recent years, there have
substantial efforts at the federal level and across the
country to better prepare for cyber-attacks and increase the
sharing of threat information. In February 2013, the
President Signed Executive Order 13636, which calls for the
development of what the National Institute for Standards and
Technology (NIST) called "a voluntary risk-based Cybersecurity
Framework - a set of industry standards and best practices to
help organizations manage cyber security risks. The resulting
Framework, created through collaboration between government
and the private sector, uses a common language to address and
manage cyber security risk in a cost-effective way based on
business needs without placing additional regulatory
requirements on businesses." NIST issued its policy
recommendations in February 2014.
In February 2015, President Obama signed an Executive Order
that encourages the development of central clearinghouses
where information can be shared between the public and private
�
AB 739
Page 9
sectors quickly and securely.
There are also no fewer than four bills currently pending in
Congress, H.R.234 (Ruppersberger), H.R.1560 (Nunes), S.456
(Carper), and S.754 (Burr), that would variously codify
practices for threat information sharing, and in some cases
provided some form of legal immunity for threat information
sharing. President Obama has also released a cyber-security
information sharing proposal with liability protections for
participants.
5)Concerns about the current state of threat information
sharing . While there are multiple threat information-sharing
systems in place, there is some question as to how
comprehensive or effective those systems are.
According to a January 2015 article by securityweek.com, "Threat
information-sharing is a phrase that gets thrown often, but
there isn't much agreement on how organizations should be
working together or the methods they should be using? Some
forms of information sharing already exist-the ISACs for
various industries, including financial services, retail, and
industrial control systems are just a few examples. Industry
consortiums and groups have launched several sharing
platforms, such as the one from MITRE. But some organizations
remain wary about information-sharing for a myriad of reasons,
including competitive concerns, liability worries, and
reputation damage. Despite years of talking about it, there
are still roadblocks to effective, widespread information
sharing."
Effective information sharing also needs to happen quickly. A
recently released "2015 Data Breach Investigations Report"
from Verizon found that the speed with which threat
information moves - or 'herd alertness' - is critical to
�
AB 739
Page 10
limiting follow-on cyber-attacks. The report found that,
"[b]ased on attacks observed by RiskAnalytics during 2014, 75%
of attacks spread from Victim 0 to Victim 1 within one day (24
hours). Over 40% hit the second organization in less than an
hour. That puts quite a bit of pressure on us as a community
to collect, vet, and distribute indicator-based intelligence
very quickly in order to maximize our collective
preparedness."
6)Related legislation . AB 670 (Irwin) would require CalTech to
conduct security assessments of the IT resources of every
state agency, department or office at least once every two
years. AB 670 is currently pending in the Assembly
Appropriations Committee.
AB 1172 (Chau) would create a California Cyber Security Task
Force within the Governor's Office of Emergency Services to
act in an advisory capacity and make policy recommendations on
cyber security for the state of California. AB 1172 is
currently set for hearing in the Assembly Privacy and Consumer
Protection Committee on April 21, 2015.
7)Prior legislation . AB 2200 (Perez) of 2014 would have created
a 13-member California Cyber Security Steering Committee
within the Governor's Office of Emergency Services (OES), and
would have continued the existence of the California Cyber
Security Task Force until January 1, 2020. This bill was held
at the Assembly Desk.
SB 1286 (Corbett) of 2014 would have raised from $35 million
to $65 million the amount that the Public Utilities Commission
may devote to research and development projects for the
purposes of cyber security and grid integration. This bill
was held in the Senate Rules Committee.
�
AB 739
Page 11
SB 90 (Budget and Fiscal Review), Chapter 183, Statutes of
2007, created the Office of Information Security and Privacy
Protection within the State and Consumer Services Agency. The
duties of that office included providing direction for
information security and privacy to state government agencies;
conducting security assessments and review of any state
agency; providing educational information to consumers on
effective ways of protecting personal information; and
assisting in the prosecution of identity theft and other
privacy-related crimes.
8)Double-referral . This bill is double-referred to the Assembly
Judiciary Committee, where it will be heard on April 28, 2015,
if passed by this Committee.
REGISTERED SUPPORT / OPPOSITION:
Support
None received.
Opposition
�
AB 739
Page 12
None received.
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200