BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 1841 (Irwin)
Version: April 14, 2016
Hearing Date: June 28, 2016
Fiscal: Yes
Urgency: No
TH
SUBJECT
Cybersecurity Incident Response Plan and Standards
DESCRIPTION
This bill requires the Governor's Office of Emergency Services
(OES) and the California Department of Technology (CalTech) to
transmit to the Legislature a statewide cybersecurity incident
response plan by July 1, 2017. This bill also requires OES and
CalTech to develop cybersecurity incident response standards for
state agencies to prepare for possible interference, compromise,
or incapacitation, of critical infrastructure.
BACKGROUND
The State of California Emergency Plan (SEP) establishes
California's planned response to a variety of extraordinary
emergency situations associated with natural disasters or
human-caused emergencies. Pursuant to the California Emergency
Services Act (Gov. Code Sec. 8550), the SEP describes the
methods for carrying out emergency operations, the process for
rendering mutual aid, the emergency services of governmental
agencies, how resources are mobilized, how the public will be
informed of emergencies, and the process to ensure continuity of
government during an emergency or disaster.
The SEP is composed of three principal elements. The Basic Plan
describes the fundamental systems, strategies, policies,
assumptions, responsibilities, and operational priorities that
California will utilize to guide and support emergency
management efforts. The Functional Annexes to the SEP describe
�
AB 1841 (Irwin)
Page 2 of ?
discipline-specific goals, objectives, operational concepts,
capabilities, organizational structures, and related policies
and procedures. Finally, the Appendices to the SEP constitute
additional plans and procedures that are developed in support of
the SEP, such as mutual aid plans, hazard-specific plans,
catastrophic plans and related procedures. Together, these
elements provide a consistent, statewide framework to enable
state, local, tribal governments, the federal government, and
the private sector to work together to mitigate, prepare for,
respond to, and recover from the effects of emergencies
regardless of cause, size, location, or complexity.
This bill directs OES and CalTech to develop a new functional
annex on cybersecurity to the SEP called Emergency Function 18
(EF 18) by July 1, 2017. This bill also directs OES and CalTech
to formulate cybersecurity incident response standards for state
agencies by January 1, 2018, to prepare agencies for
cybersecurity interference with, or the compromise or
incapacitation of, critical infrastructure, and for the
development and transmittal of critical infrastructure
information.
CHANGES TO EXISTING LAW
Existing law , the data breach notification law, requires any
agency, person, or business that owns or licenses computerized
data that includes personal information to disclose a breach of
the security of the system to any California resident whose
unencrypted personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. The
disclosure must be made in the most expedient time possible and
without unreasonable delay, consistent with the legitimate needs
of law enforcement, as specified. (Civ. Code Secs. 1798.29(a),
(c) and 1798.82(a), (c).)
Existing law , the Information Practices Act of 1977, requires
each agency to establish appropriate and reasonable
administrative, technical, and physical safeguards to ensure
compliance with the provisions of the Act, to ensure the
security and confidentiality of records, and to protect against
anticipated threats or hazards to their security or integrity
which could result in any injury. (Civ. Code Sec. 1798.21.)
Existing law , the California Emergency Services Act, directs the
Governor to coordinate the State Emergency Plan and those
�
AB 1841 (Irwin)
Page 3 of ?
programs necessary for the mitigation of the effects of an
emergency in this state, and to coordinate the preparation of
plans and programs for the mitigation of the effects of an
emergency by the political subdivisions of this state. (Gov.
Code Sec. 8569.)
Existing law states that the State Emergency Plan shall be in
effect in each political subdivision of the state, and the
governing body of each political subdivision shall take such
action as may be necessary to carry out the provisions thereof.
(Gov. Code Sec. 8568.)
This bill requires OES, on or before July 1, 2017, in
conjunction with CalTech, to transmit to the Legislature a
cybersecurity incident response plan, known as the Cyber
Security Annex to the State Emergency Plan Emergency Function 18
that includes, but is not limited to, all of the following:
methods for providing emergency services;
command structure for statewide coordinated emergency
services;
emergency service roles of appropriate state agencies;
identification of resources to be mobilized;
public information plans; and
continuity of government services.
This bill requires OES, on or before January 1, 2018, in
conjunction with CalTech, to develop cybersecurity incident
response standards for state agencies to prepare for
cybersecurity interference with, or the compromise or
incapacitation of, critical infrastructure, and for the
development and transmission of critical infrastructure
information to OES. In developing the standards, OES shall
consider all of the following:
costs to implement the standards;
security of critical infrastructure information;
centralized management of risk; and
national private industry best practices.
This bill requires each state agency to report on its compliance
with the above standards no later than January 1, 2019, and
directs OES, in conjunction with CalTech, to provide suggestions
for state agencies to improve compliance with the standards.
This bill specifies that the report and communications required
under this provision are confidential and shall not be disclosed
pursuant to any state law, including the California Public
�
AB 1841 (Irwin)
Page 4 of ?
Records Act.
This bill makes related findings and declarations.
COMMENT
1.Stated need for the bill
The author writes:
The State Emergency Plan currently does not account for
cybersecurity risks imposed on the state and general public.
Despite years of effort to develop such planning, we have
failed to do so. As cybersecurity attacks become more
frequent and sophisticated, we must integrate those
considerations into our relative emergency planning and
resource allocations.
This bill requires the California Office of Emergency Services
in conjunction with the Department of Technology to transmit
to the Legislature, by July 1, 2017, a statewide emergency
services response plan for cybersecurity, and further requires
OES and [CalTech] to develop a comprehensive cybersecurity
strategy against critical infrastructure by January 1, 2018.
2.Cyber threat to critical infrastructure
With the development of digital technology, the owners and
operators of California's critical infrastructure - things like
power plants, water distribution systems, refineries, and
communications equipment - have largely replaced outdated analog
control systems with digital controls, often interconnected with
other systems through computer networks. These updated control
systems simplify the management of critical infrastructure and
make it more productive. Unfortunately, this same technology
also makes our infrastructure vulnerable to cyber attack.
In recent years, critical infrastructure in the United States
has been subject to a number of attacks by cybercriminals,
including a 2014 incident where an overseas hacker gained access
to systems regulating the flow of natural gas. These incidents
have prompted state and federal leaders to warn operators of
critical infrastructure of the need to bolster cyber defenses to
�
AB 1841 (Irwin)
Page 5 of ?
protect against debilitating attacks that threaten our public
safety and economic well-being. Indeed, just last year the
Governor declared that "cyber attacks aimed at breaching and
damaging computer networks and infrastructure in California
represent a major security risk and increase the state's
vulnerability to economic disruption, critical infrastructure
damage, privacy violations, and identity theft." (See Executive
Order B-34-15 [August 31, 2015].)
This bill would bolster California's critical infrastructure
cyber defenses by requiring OES and CalTech to create a cyber
security annex to the State Emergency Plan. This annex, once
completed, would help the State plan for, and respond to, cyber
attacks against infrastructure - both publicly and privately
owned - that Californians rely on in their daily lives. This
bill also directs state agencies to implement cybersecurity
incident response standards developed by OES and CalTech, which
will help agencies plan their responses to cyber attacks carried
out against their infrastructure and resources. While the bill
lists several factors for OES and CalTech to consider in
developing these standards, the Committee may wish to add
"continuity of operations" to that list in light of the reliance
Californians place on information technology systems to transact
business with state agencies.
3.Right to privacy and agency breaches
California recognizes the right to privacy as a fundamental
right and has enshrined that right along with other fundamental
rights in article I, section 1 of the California Constitution.
The harm that can result from the theft of personal information
via a data breach threatens to undermine that fundamental right.
Unfortunately, because of the size of its economy and the sheer
number of its consumers, data held by California businesses and
government agencies is frequently targeted by cyber criminals.
The Attorney General's 2014 California Data Breach Report found
that in 2012, "17 percent of the data breaches recorded in the
United States took place in California - more than any other
state" and that "the number of reported breaches in California
increased by 28 percent in 2013." (California Department of
Justice, California Data Breach Report (Oct. 2014)
[as of June 26, 2016].) The frequency
of data breaches in California and the threat that such breaches
pose to California residents makes timely and effective response
�
AB 1841 (Irwin)
Page 6 of ?
to a breach, and the ability to mitigate potential damages
resulting from the breach, matters of critical importance.
Recent data breaches show that government agencies are just as
vulnerable as businesses to breaches that expose the personal
information of California residents. In March of 2014, for
example, the California Department of Motor Vehicles reported
that its system for processing online credit card transactions
may have been breached, potentially compromising millions of
credit card numbers, expiration dates, and credit card security
codes. (See Kate Mather and Carla Rivera, California DMV
Probing Possible Breach of Customer Credit Cards, Los Angeles
Times (Mar. 22, 2014)
[as of June 26, 2016].) More recently, the
federal Office of Personnel Management suffered a massive data
breach that revealed the personal information -- and in some
cases the fingerprints -- of approximately 21.5 million
individuals, including many with secret-level security
clearances. (See James Eng, OPM Hack: Government Finally Starts
Notifying 21.5 Million Victims, NBC News (Oct. 1, 2015)
[as of June 26, 2016].)
When breaches do occur, a rapid and effective response is
crucial toward mitigating the impact to affected individuals.
This bill would assist state agencies in executing a rapid and
effective response in the wake of a breach or other cyber
incident by requiring these agencies to implement cybersecurity
incident response standards developed by OES and CalTech.
Having an effective response standard in place that, for
example, identifies needed resources and establishes protocols
for carrying out communications between participants, will speed
up an agency's ability to respond to an event. However, given
the sensitive nature of some of the personal information held by
state agencies, and California's recognition of a constitutional
right to privacy, it is important that an agency's cybersecurity
response standard recognizes the need to protect sensitive
information from disclosure or compromise. The Committee may,
therefore, wish to add "protection of personal information" to
the list of considerations guiding OES and CalTech in the
development of this standard.
�
AB 1841 (Irwin)
Page 7 of ?
Support : None Known
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation :
SB 949 (Jackson, 2016) would authorize the Governor to require
owners and operators of critical infrastructure to submit
critical infrastructure information to the Office of Emergency
Services, or any other designee, for the purposes of gathering,
analyzing, communicating, or disclosing critical infrastructure
information. This bill is pending in the Senate Governmental
Organization Committee.
SB 1444 (Hertzberg, 2016) would require state agencies that own
or license computerized data that includes personal information
to prepare a security plan that details the agency's strategy to
respond to a security breach of that information and its
associated consequences. This bill is pending in the Assembly
Privacy and Consumer Protection Committee.
AB 1346 (Gray, 2016) would, among other things require the
Office of Emergency Services to update the State Emergency Plan
on or before January 1, 2018, and every five years thereafter.
This bill is pending in the Senate Appropriations Committee.
AB 739 (Irwin, 2015) would, until January 1, 2020, provide legal
immunity from civil or criminal liability for private entities
that communicate anonymized cyber security-threat information,
as specified. This bill is pending in the Assembly Judiciary
Committee.
Prior Legislation :
AB 670 (Irwin, Ch. 518, Stats. 2015) requires the Office of
Information Security, in consultation with the Office of
Emergency Services, to require no fewer than 35 independent
security assessments of state entities each year and determine
basic standards of services to be performed as part of that
�
AB 1841 (Irwin)
Page 8 of ?
assessment.
Prior Vote :
Senate Governmental Organization Committee (Ayes 12, Noes 0)
Assembly Floor (Ayes 79, Noes 0)
Assembly Appropriations Committee (Ayes 20, Noes 0)
Assembly Governmental Organization Committee (Ayes 21, Noes 0)
Assembly Privacy and Consumer Protection Committee (Ayes 11,
Noes 0)
**************