AB 1841, as introduced, Irwin. Office of Emergency Services: duties: cybersecurity.
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state.
This bill would require the Office of Emergency Services to develop and transmit to the Legislature a state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems, as defined. The bill would further require the office to develop a comprehensive cybersecurity strategy setting standards for state agencies, as defined, and private entities to prepare for cybersecurity attacks on critical infrastructure systems. The bill would require state agencies, and authorize private entities, to report its cybersecurity strategy to the office. The bill would require the office to provide suggestions for improvement to the cybersecurity strategy of a state agency, and authorize the office to do the same for a private entity, but only for purposes of protecting public health and safety. The bill would prohibit public disclosure of the office’s state-wide emergency services response plan and the individual cybersecurity strategies of state agencies and private entities.
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all the
3(a) The current pervasive use of information technology in
4public and private enterprises has resulted in an abundance of
5public access to information and services provided by the
6government and businesses, but the increased interdependence on
7information technology systems has created a new type of risk for
8society. Cybersecurity threats to public and private critical
9infrastructure systems that use information technology within the
10state present risks to public health and safety and could severely
11disrupt private economic activity within California.
12(b) Ensuring sufficient preparations are taken to protect these
13 critical infrastructure systems from attacks to cybersecurity are in
14the public interest and serve a public purpose.
15(c) A comprehensive cybersecurity strategy, undertaken in a
16coordinated effort between federal and state governments and
17private entities, will help prepare for cyberattacks on these critical
18infrastructure systems, thereby reducing the potential consequences
19from those attacks.
20(d) The Office of Emergency Services, in its role as the lead
21executive entity that coordinates state resources for emergency
22preparedness, response, and damage mitigation, is the proper state
23entity to develop, implement, and manage a comprehensive
24cybersecurity strategy, undertaken in a coordinated effort between
25federal and state governments and private entities, to protect these
26critical infrastructure systems from attacks to cybersecurity. The
27Office of Emergency Services is already developing the necessary
28expertise in cybersecurity through its current work developing
29methods to provide emergency services during a cyberattack.
P3 1(e) It is the intent of the Legislature in enacting this legislation
2to develop a comprehensive cybersecurity strategy, undertaken in
3a coordinated effort between federal and state governments and
4private entities, to prepare California for cyberattacks on critical
5infrastructure systems under the unifying coordination of the Office
6of Emergency Services.
Article 6.4 (commencing with Section 8592.30) is
8added to Chapter 7 of Division 1 of Title 2 of the Government
9Code, to read:
(a) For purposes of this article, “critical infrastructure
14systems” shall mean a public or private information technology
15system that services any of the following sectors:
17(2) Emergency services.
19(4) Financial Services.
20(5) Food and Agriculture.
21(6) Healthcare and public health.
22(7) Transportation systems.
23(8) Water and wastewater systems.
24(b) “Secretary” shall mean the secretary of each state agency
25as set forth in subdivision (a) of Section 12800.
26(c) “State agency” or “state agencies” shall have the same
27meaning as “state agency” as set forth in Section 11000.
(a) On or before July 1, 2017, the office shall transmit
29to the Legislature a state-wide emergency services response plan
30for cybersecurity attacks on critical infrastructure systems that
31includes, but is not limited to, all of the following:
32(1) Methods for providing emergency services.
33(2) Command structure for state-wide coordinated emergency
35(3) Emergency service roles of appropriate state agencies.
36(4) Identification of resources to be mobilized.
37(5) Public information plans.
38(6) Continuity of government services.
P4 1(b) Notwithstanding Section 9795, the office shall transmit the
2plan to the Legislature by providing a printed copy to the Secretary
3of the Senate and the Chief Clerk of the Assembly.
(a) On or before July 1, 2018, the office shall develop
5a comprehensive cybersecurity strategy setting standards for state
6agencies and private entities to prepare for cybersecurity attacks
7on critical infrastructure systems. In developing the standards, the
8office shall consider all of the following:
9(1) Costs to implement the standards.
10(2) Regional business impacts.
11(3) National private industry best practices.
12(b) The office shall post the cybersecurity strategy on the
13Internet Web site of the office and transmit a copy to each
(a) Each state agency shall transmit a cybersecurity
16strategy that meets the standards set forth in Section 8592.40 to
17the office in the manner and at the time directed by the office.
18(b) The office shall provide suggestions for improvement to the
19cybersecurity strategy of a state agency, if any, to the head of the
20state agency and the secretary responsible for the state agency. For
21a state agency that is not under the responsibility of a secretary,
22the office shall provide suggestions for improvement to a
23cybersecurity strategy, if any, to the head of the state agency and
(a) A private entity may transmit a cybersecurity
26strategy that meets the standards set forth in Section 8592.40 to
28(b) The office shall review and provide suggestions for
29improvement, if any, to the cybersecurity strategy of a private
30entity for the purposes of protecting public health and safety, and
31shall not review or make suggestions to the cybersecurity strategy
32of a private entity solely for the private benefit of the private entity.
(a) The plan required by Section 8592.35, a state
34agency cybersecurity strategy required by Section 8592.45, or a
35private entity cybersecurity strategy authorized by Section 8592.50
36are confidential and shall not be disclosed pursuant to any state
37law, including, but not limited to, the California Public Records
38Act (Chapter 3.5 (commencing with Section 6250) of Division 7
39of Title 1).
P5 1(b) The report to the Legislature required by Section 8592.35
2shall not be subject to production pursuant to the Legislative Open
3Records Act (Article 3.5 (commencing with Section 9070) of
4Chapter 1.5 of Part 1 of Division 2).
The Legislature finds and declares that Section 2 of
6this act, which adds Section 8592.55 to the Government Code,
7imposes a limitation on the public’s right of access to the meetings
8of public bodies or the writings of public officials and agencies
9within the meaning of Section 3 of Article I of the California
10Constitution. Pursuant to that constitutional provision, the
11Legislature makes the following findings to demonstrate the interest
12protected by this limitation and the need for protecting that interest:
13Preventing public disclosure of the Office of Emergency
14Services’ state-wide emergency services response plan for
15cybersecurity attacks on critical infrastructure systems and the
16individual cybersecurity strategies of state agencies and private
17entities promotes public safety by prohibiting access to those who
18would use that information to thwart the cybersecurity of critical
19infrastructure systems within the state.