Amended in Assembly March 28, 2016

California Legislature—2015–16 Regular Session

Assembly BillNo. 1841


Introduced by Assembly Member Irwin

February 9, 2016


An act to add Article 6.4 (commencing with Section 8592.30) to Chapter 7 of Division 1 of Title 2 of the Government Code, relating to emergency services.

LEGISLATIVE COUNSEL’S DIGEST

AB 1841, as amended, Irwin. Office of Emergency Services: duties: cybersecurity.

(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state.

This bill would require the Office of Emergency Services tobegin delete develop andend delete transmit to thebegin delete Legislature a state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems, as defined.end deletebegin insert Legislature, on or before July 1, 2017, the Cyber Security Annex to the State Emergency Plan, also known as Emergency Function 18 or EF 18.end insert The bill would further require the office to develop a comprehensive cybersecurity strategy setting standards for state agencies, as defined,begin delete and private entities toend deletebegin insert to, among other things,end insert prepare for cybersecuritybegin delete attacks onend deletebegin insert interference with, or the compromise or incapacitation of,end insert critical infrastructurebegin delete systems. The billend deletebegin insert andend insert would require statebegin delete agencies, and authorize private entities,end deletebegin insert agenciesend insert to report itsbegin delete cybersecurity strategyend deletebegin insert compliance with these standardsend insert to the office. The bill would require the office to provide suggestions forbegin delete improvement to the cybersecurity strategy of a state agency, and authorize the office to do the same for a private entity, but only for purposes of protecting public health and safety.end deletebegin insert a state agency to improve compliance with these standards.end insert The bill would prohibit public disclosure ofbegin delete the office’s state-wide emergency services response plan andend deletebegin insert public records relating toend insert thebegin delete individualend delete cybersecurity strategies of statebegin delete agencies and private entities.end deletebegin insert agencies, as specified.end insert

(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.

This bill would make legislative findings to that effect.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

The Legislature finds and declares all the
2following:

3(a) The current pervasive use of information technology in
4publicbegin delete and privateend delete enterprises has resulted in an abundance of
5public access to information and services provided by the
6begin delete government and businesses,end deletebegin insert government,end insert but the increased
7interdependencebegin delete onend deletebegin insert ofend insert information technology systems has created
8a new type of risk for society.begin delete Cybersecurity threatsend deletebegin insert Threatsend insert to
9publicbegin delete and privateend delete critical infrastructurebegin delete systemsend delete that use
10information technology within the state present risks to public
11health and safety and could severely disruptbegin delete privateend delete economic
12activity within California.

13(b) Ensuring sufficient preparations are taken to protectbegin delete theseend delete
14 critical infrastructurebegin delete systemsend delete frombegin delete attacks to cybersecurityend delete
15begin insert interference, compromise, or incapacitationend insert are in the public
16interest and serve a public purpose.

17(c) A comprehensive cybersecurity strategy, undertaken in a
18coordinated effort betweenbegin delete federal and state governments and
19private entities,end delete
begin insert state agencies,end insert will help prepare for begin delete cyberattacks
20 on theseend delete
begin insert threats toend insert criticalbegin delete infrastructure systems,end deletebegin insert infrastructure,end insert
21 thereby reducing the potential consequences from those attacks.

22(d) The Office of Emergency Services, in its role as the lead
23executive entity that coordinates state resources for emergency
P3    1preparedness, response, and damage mitigation, isbegin delete the properend deletebegin insert aend insert
2 state entitybegin insert appropriateend insert to develop, implement, and manage a
3comprehensive cybersecurity strategy, undertaken in a coordinated
4effort betweenbegin delete federal and state governments and private entities,end delete
5begin insert state agencies,end insert to protectbegin delete theseend delete criticalbegin delete infrastructure systems from
6attacks to cybersecurity.end delete
begin insert infrastructure.end insert The Office of Emergency
7Services is already developing the necessary expertise in
8cybersecurity through its current work developing methods to
9provide emergency services duringbegin delete a cyberattack.end deletebegin insert an interference
10with, or the compromise or incapacitation of, critical
11infrastructure.end insert

12(e) It is the intent of the Legislature in enacting this legislation
13to develop a comprehensive cybersecurity strategy, undertaken in
14a coordinated effort betweenbegin delete federal and state governments and
15private entities,end delete
begin insert state agencies,end insert to prepare California for
16begin delete cyberattacks onend deletebegin insert threats toend insert critical infrastructurebegin delete systemsend delete under the
17unifying coordination of the Office of Emergency Services.

18

SEC. 2.  

Article 6.4 (commencing with Section 8592.30) is
19added to Chapter 7 of Division 1 of Title 2 of the Government
20Code
, to read:

21 

22Article 6.4.  Cybersecurity
23

 

begin delete
24

8592.30.  

(a) For purposes of this article, “critical infrastructure
25systems” shall mean a public or private information technology
26system that services any of the following sectors:

27(1) Communications.

28(2) Emergency services.

29(3) Energy.

30(4) Financial Services.

31(5) Food and Agriculture.

32(6) Healthcare and public health.

33(7) Transportation systems.

34(8) Water and wastewater systems.

35(b)

end delete
36begin insert

begin insert8592.30.end insert  

end insert
begin insert

As used in this article, the following definitions shall
37apply:

end insert
begin insert

38
(a) “Critical infrastructure” means systems and assets so vital
39to the state that the incapacity or destruction of those systems or
40assets would have a debilitating impact on security, economic
P4    1security, public health and safety, or any combination of those
2matters.

end insert
begin insert

3
(b) “Critical infrastructure information” means information
4not customarily in the public domain pertaining to any of the
5following:

end insert
begin insert

6
(1) Actual, potential, or threatened interference with, or an
7attack on, compromise of, or incapacitation of critical
8infrastructure by either physical or computer-based attack or other
9similar conduct, including, but not limited to, the misuse of, or
10unauthorized access to, all types of communications and data
11transmission systems, that violates federal, state, or local law,
12harms economic security, or threatens public health or safety.

end insert
begin insert

13
(2) The ability of critical infrastructure to resist any interference,
14compromise, or incapacitation, including, but not limited to, any
15planned or past assessment or estimate of the vulnerability of
16critical infrastructure, including, but not limited to, security testing,
17risk evaluation, risk management planning, or risk audits.

end insert
begin insert

18
(3) Any planned or past operational problem or solution
19 regarding critical infrastructure, including, but not limited to,
20repair, recovery, reconstruction, insurance, or continuity, to the
21extent it is related to interference, compromise, or incapacitation
22of critical infrastructure.

end insert

23begin insert(c)end insert “Secretary”begin delete shall meanend deletebegin insert meansend insert the secretary of each state
24agency as set forth in subdivision (a) of Section 12800.

begin delete

25 (c)

end delete

26begin insert(d)end insert “State agency” or “state agencies”begin delete shall haveend deletebegin insert meansend insert the
27samebegin delete meaningend delete as “state agency” as set forth in Section 11000.

28

8592.35.  

(a) On or before July 1, 2017, the office shall transmit
29to the Legislaturebegin delete a state-wide emergency services response plan
30for cybersecurity attacks on critical infrastructure systemsend delete
begin insert the
31Cyber Security Annex to the State Emergency Plan, also known
32as Emergency Function 18 or EF 18,end insert
that includes, but is not
33limited to, all of the following:

34(1) Methods for providing emergency services.

35(2) Command structure for state-wide coordinated emergency
36services.

37(3) Emergency service roles of appropriate state agencies.

38(4) Identification of resources to be mobilized.

39(5) Public information plans.

40(6) Continuity of government services.

P5    1(b) begin deleteNotwithstanding Section 9795, the end deletebegin insertThe end insertoffice shall transmit
2the plan to the Legislaturebegin delete by providing a printed copy to the
3Secretary of the Senate and the Chief Clerk of the Assembly.end delete

4
begin insert pursuant to Section 9795.end insert

5

8592.40.  

(a) On or before July 1, 2018, the office shall develop
6a comprehensive cybersecurity strategy setting standards for state
7agenciesbegin delete and private entitiesend delete to prepare for cybersecuritybegin delete attacks
8onend delete
begin insert interference with, or the compromise or incapacitation of,end insert
9 critical infrastructurebegin delete systems.end deletebegin insert and the development of critical
10infrastructure information, and to transmit critical infrastructure
11information to the office.end insert
In developing the standards, the office
12shall consider all of the following:

13(1) Costs to implement the standards.

begin delete

14(2) Regional business impacts.

end delete
begin delete

15(3) National

end delete
begin insert

16
(2) Security of critical infrastructure information.

end insert
begin insert

17
(3) Centralized management of risk.

end insert

18begin insert(4)end insertbegin insertend insertbegin insertNationalend insert private industry best practices.

19(b) The office shall post the cybersecurity strategy on the
20Internet Web site of the office and transmit a copy to each
21secretary.

22

8592.45.  

(a) Each state agency shallbegin delete transmit a cybersecurity
23strategy that meets the standards set forth inend delete
begin insert report on their
24compliance with the standards developed pursuant toend insert
Section
258592.40 to the office in the manner and at the time directed by the
26
begin delete office.end deletebegin insert office but no later than January 1, 2019.end insert

27(b) The office shall provide suggestions forbegin delete improvement to the
28cybersecurity strategy of a state agency, if any,end delete
begin insert a state agency to
29improve compliance with the standards developed pursuant to
30Section 8592.40, if any,end insert
to the head of the state agency and the
31secretary responsible for the state agency. For a state agency that
32is not under the responsibility of a secretary, the office shall provide
33begin insert anyend insert suggestionsbegin delete for improvement to a cybersecurity strategy, if
34any,end delete
to the head of the state agency and the Governor.

begin delete
35

8592.50.  

(a) A private entity may transmit a cybersecurity
36strategy that meets the standards set forth in Section 8592.40 to
37the office.

38(b) The office shall review and provide suggestions for
39improvement, if any, to the cybersecurity strategy of a private
40entity for the purposes of protecting public health and safety, and
P6    1shall not review or make suggestions to the cybersecurity strategy
2of a private entity solely for the private benefit of the private entity.

end delete
3

begin delete8592.55.end delete
4
begin insert 8592.50end insert  

begin delete(a)end delete Thebegin delete plan required by Section 8592.35, a state
5agency cybersecurity strategyend delete
begin insert reportend insert required bybegin insert subdivision (a)
6ofend insert
Sectionbegin delete 8592.45, or a private entity cybersecurity strategy
7authorized by Section 8592.50 areend delete
begin insert 8592.45 and any public records
8relating to any communication made pursuant to, or in furtherance
9of the purposes of, subdivision (b) of Section 8592.45 areend insert

10 confidential and shall not be disclosed pursuant to any state law,
11including, but not limited to, the California Public Records Act
12(Chapter 3.5 (commencing with Section 6250) of Division 7 of
13Title 1).

begin delete

14(b) The report to the Legislature required by Section 8592.35
15shall not be subject to production pursuant to the Legislative Open
16Records Act (Article 3.5 (commencing with Section 9070) of
17Chapter 1.5 of Part 1 of Division 2).

end delete
18

SEC. 3.  

The Legislature finds and declares that Section 2 of
19this act, which adds Sectionbegin delete 8592.55end deletebegin insert 8592.50end insert to the Government
20Code, imposes a limitation on the public’s right of access to the
21meetings of public bodies or the writings of public officials and
22agencies within the meaning of Section 3 of Article I of the
23California Constitution. Pursuant to that constitutional provision,
24the Legislature makes the following findings to demonstrate the
25interest protected by this limitation and the need for protecting
26that interest:

27Preventing public disclosure of thebegin delete Office of Emergency
28Services’ state-wide emergency services response plan for
29cybersecurity attacks on critical infrastructure systems and the end delete
begin insert end insert
30individual cybersecuritybegin delete strategiesend deletebegin insert preparationsend insert of state agencies
31begin delete and private entitiesend delete promotes public safety by prohibiting access
32to those who would use that information to thwart the cybersecurity
33of critical infrastructurebegin delete systemsend delete within the state.



O

    98