AB 1841, as amended, Irwin. Office of Emergency Services: duties: cybersecurity.
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state.
This bill would require the Office of Emergency Services to
begin delete develop andend delete transmit to the begin delete Legislature a state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems, as defined.end delete
The bill would further require the office to develop a comprehensive cybersecurity strategy setting standards for state agencies, as defined, begin delete and private entities toend delete prepare for cybersecurity begin delete attacks onend delete critical infrastructure begin delete systems. The billend delete would require state begin delete agencies, and authorize private entities,end delete to report its begin delete cybersecurity strategyend delete to the office. The bill would require the office to provide suggestions for begin delete improvement to the cybersecurity strategy of a state agency, and authorize the office to do the same for a private entity, but only for purposes of protecting public health and safety.end delete The bill would prohibit public disclosure of begin delete the office’s state-wide emergency services response plan andend delete the begin delete individualend delete cybersecurity strategies of state begin delete agencies and private entities.end delete
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
The Legislature finds and declares all the
3(a) The current pervasive use of information technology in
begin delete and privateend delete enterprises has resulted in an abundance of
5public access to information and services provided by the
begin delete government and businesses,end delete but the increased
begin delete onend delete information technology systems has created
8a new type of risk for society.
begin delete Cybersecurity threatsend delete
begin delete and privateend delete critical infrastructure begin delete systemsend delete that use
10information technology within the state present risks to public
11health and safety and could severely disrupt
begin delete privateend delete economic
12activity within California.
13(b) Ensuring sufficient preparations are taken to protect
begin delete theseend delete
14 critical infrastructure
begin delete systemsend delete from begin delete attacks to cybersecurityend delete
15 are in the public
16interest and serve a public purpose.
17(c) A comprehensive cybersecurity strategy, undertaken in a
18coordinated effort between
begin delete federal and state governments and will help prepare for
19private entities,end delete
begin delete cyberattacks
20 on theseend delete
begin delete infrastructure systems,end delete
21 thereby reducing the potential consequences from those attacks.
22(d) The Office of Emergency Services, in its role as the lead
23executive entity that coordinates state resources for emergency
P3 1preparedness, response, and damage mitigation, is
begin delete the properend delete
2 state entity to develop, implement, and manage a
3comprehensive cybersecurity strategy, undertaken in a coordinated
begin delete federal and state governments and private entities,end delete
5 to protect
begin delete theseend delete critical begin delete infrastructure systems from The Office of Emergency
6attacks to cybersecurity.end delete
7Services is already developing the necessary expertise in
8cybersecurity through its current work developing methods to
9provide emergency services during
begin delete a cyberattack.end delete
12(e) It is the intent of the Legislature in enacting this
13to develop a comprehensive cybersecurity strategy, undertaken in
14a coordinated effort between
begin delete federal and state governments and to prepare California for
15private entities,end delete
begin delete cyberattacks onend delete critical infrastructure begin delete systemsend delete under the
17unifying coordination of the Office of Emergency Services.
Article 6.4 (commencing with Section 8592.30) is
19added to Chapter 7 of Division 1 of Title 2 of the Government
20Code, to read:
(a) For purposes of this article, “critical infrastructure
25systems” shall mean a public or private information technology
26system that services any of the following sectors:
28(2) Emergency services.
30(4) Financial Services.
31(5) Food and Agriculture.
32(6) Healthcare and public health.
33(7) Transportation systems.
34(8) Water and wastewater systems.
begin delete shall meanend delete the secretary of each state
24agency as set forth in subdivision (a) of Section 12800.
25 (c)end delete
26 “State agency” or “state agencies”
begin delete shall haveend delete the
begin delete meaningend delete
as “state agency” as set forth in Section 11000.
(a) On or before July 1, 2017, the office shall transmit
29to the Legislature
begin delete a state-wide emergency services response plan that includes, but is not
30for cybersecurity attacks on critical infrastructure systemsend delete
33limited to, all of the following:
34(1) Methods for providing emergency services.
35(2) Command structure for state-wide coordinated emergency
37(3) Emergency service roles of appropriate state agencies.
38(4) Identification of resources to be mobilized.
39(5) Public information plans.
40(6) Continuity of government services.
begin deleteNotwithstanding Section 9795, the end deleteoffice shall transmit
2the plan to the Legislature
begin delete by providing a printed copy to the
3Secretary of the Senate and the Chief Clerk of the Assembly.end delete
(a) On or before July 1, 2018, the office shall develop
6a comprehensive cybersecurity strategy setting standards for state
begin delete and private entitiesend delete to prepare for cybersecurity begin delete attacks
9 critical infrastructure
begin delete systems.end delete In developing the standards, the office
12shall consider all of the following:
13(1) Costs to implement the standards.
14(2) Regional business impacts.end delete
15(3) Nationalend delete
18 private industry best practices.
19(b) The office shall post the cybersecurity strategy on the
20Internet Web site of the office and transmit a copy to each
(a) Each state agency shall
begin delete transmit a cybersecurity Section
23strategy that meets the standards set forth inend delete
258592.40 to the office in the manner and at the time directed by the
begin delete office.end delete
27(b) The office shall provide suggestions for
begin delete improvement to the to the head of the state agency and the
28cybersecurity strategy of a state agency, if any,end delete
31secretary responsible for the state agency. For a state agency that
32is not under the responsibility of a secretary, the office shall provide
begin delete for improvement to a cybersecurity strategy, if to the head of the state agency and the Governor.
(a) A private entity may transmit a cybersecurity
36strategy that meets the standards set forth in Section 8592.40 to
38(b) The office shall review and provide suggestions for
39improvement, if any, to the cybersecurity strategy of a private
40entity for the purposes of protecting public health and safety, and
P6 1shall not review or make suggestions to the cybersecurity strategy
2of a private entity solely for the private benefit of the private entity.
begin delete(a)end delete The begin delete plan required by Section 8592.35, a state required by Section
5agency cybersecurity strategyend delete
begin delete 8592.45, or a private entity cybersecurity strategy
7authorized by Section 8592.50 areend delete
10 confidential and shall not be disclosed pursuant to any state law,
11including, but not limited to, the California Public Records Act
12(Chapter 3.5 (commencing with Section 6250) of Division 7 of
14(b) The report to the Legislature required by Section 8592.35
15shall not be subject to production pursuant to the Legislative Open
16Records Act (Article 3.5 (commencing with Section 9070) of
17Chapter 1.5 of Part 1 of Division 2).
The Legislature finds and declares that Section 2 of
19this act, which adds Section
begin delete 8592.55end delete to the Government
20Code, imposes a limitation on the public’s right of access to the
21meetings of public bodies or the writings of public officials and
22agencies within the meaning of Section 3 of Article I of the
23California Constitution. Pursuant to that constitutional provision,
24the Legislature makes the following findings to demonstrate the
25interest protected by this limitation and the need for protecting
27Preventing public disclosure of the
begin delete Office of Emergency
28Services’ state-wide emergency services response plan for
29cybersecurity attacks on critical infrastructure systems and the end delete
begin delete strategiesend delete of state agencies
begin delete and private entitiesend delete promotes public safety by prohibiting access
32to those who would use that information to thwart the cybersecurity
33of critical infrastructure
begin delete systemsend delete
within the state.