BILL ANALYSIS                                                                                                                                                                                                    





                             SENATE JUDICIARY COMMITTEE
                         Senator Hannah-Beth Jackson, Chair
                             2015-2016  Regular Session


          AB 1841 (Irwin)
          Version: April 14, 2016
          Hearing Date: June 28, 2016
          Fiscal: Yes
          Urgency: No
          TH   


                                        SUBJECT
                                           
                 Cybersecurity Incident Response Plan and Standards

                                      DESCRIPTION 

          This bill requires the Governor's Office of Emergency Services  
          (OES) and the California Department of Technology (CalTech) to  
          transmit to the Legislature a statewide cybersecurity incident  
          response plan by July 1, 2017.  This bill also requires OES and  
          CalTech to develop cybersecurity incident response standards for  
          state agencies to prepare for possible interference, compromise,  
          or incapacitation, of critical infrastructure.

                                      BACKGROUND  

          The State of California Emergency Plan (SEP) establishes  
          California's planned response to a variety of extraordinary  
          emergency situations associated with natural disasters or  
          human-caused emergencies.  Pursuant to the California Emergency  
          Services Act (Gov. Code Sec. 8550), the SEP describes the  
          methods for carrying out emergency operations, the process for  
          rendering mutual aid, the emergency services of governmental  
          agencies, how resources are mobilized, how the public will be  
          informed of emergencies, and the process to ensure continuity of  
          government during an emergency or disaster.

          The SEP is composed of three principal elements.  The Basic Plan  
          describes the fundamental systems, strategies, policies,  
          assumptions, responsibilities, and operational priorities that  
          California will utilize to guide and support emergency  
          management efforts.  The Functional Annexes to the SEP describe  








          AB 1841 (Irwin)
          Page 2 of ? 

          discipline-specific goals, objectives, operational concepts,  
          capabilities, organizational structures, and related policies  
          and procedures.  Finally, the Appendices to the SEP constitute  
          additional plans and procedures that are developed in support of  
          the SEP, such as mutual aid plans, hazard-specific plans,  
          catastrophic plans and related procedures.  Together, these  
          elements provide a consistent, statewide framework to enable  
          state, local, tribal governments, the federal government, and  
          the private sector to work together to mitigate, prepare for,  
          respond to, and recover from the effects of emergencies  
          regardless of cause, size, location, or complexity.

          This bill directs OES and CalTech to develop a new functional  
          annex on cybersecurity to the SEP called Emergency Function 18  
          (EF 18) by July 1, 2017.  This bill also directs OES and CalTech  
          to formulate cybersecurity incident response standards for state  
          agencies by January 1, 2018, to prepare agencies for  
          cybersecurity interference with, or the compromise or  
          incapacitation of, critical infrastructure, and for the  
          development and transmittal of critical infrastructure  
          information.

                                CHANGES TO EXISTING LAW
           
           Existing law  , the data breach notification law, requires any  
          agency, person, or business that owns or licenses computerized  
          data that includes personal information to disclose a breach of  
          the security of the system to any California resident whose  
          unencrypted personal information was, or is reasonably believed  
          to have been, acquired by an unauthorized person.  The  
          disclosure must be made in the most expedient time possible and  
          without unreasonable delay, consistent with the legitimate needs  
          of law enforcement, as specified.  (Civ. Code Secs. 1798.29(a),  
          (c) and 1798.82(a), (c).)

           Existing law  , the Information Practices Act of 1977, requires  
          each agency to establish appropriate and reasonable  
          administrative, technical, and physical safeguards to ensure  
          compliance with the provisions of the Act, to ensure the  
          security and confidentiality of records, and to protect against  
          anticipated threats or hazards to their security or integrity  
          which could result in any injury.  (Civ. Code Sec. 1798.21.)

           Existing law  , the California Emergency Services Act, directs the  
          Governor to coordinate the State Emergency Plan and those  







          AB 1841 (Irwin)
          Page 3 of ? 

          programs necessary for the mitigation of the effects of an  
          emergency in this state, and to coordinate the preparation of  
          plans and programs for the mitigation of the effects of an  
          emergency by the political subdivisions of this state.  (Gov.  
          Code Sec. 8569.)

           Existing law  states that the State Emergency Plan shall be in  
          effect in each political subdivision of the state, and the  
          governing body of each political subdivision shall take such  
          action as may be necessary to carry out the provisions thereof.   
          (Gov. Code Sec. 8568.)

           This bill  requires OES, on or before July 1, 2017, in  
          conjunction with CalTech, to transmit to the Legislature a  
          cybersecurity incident response plan, known as the Cyber  
          Security Annex to the State Emergency Plan Emergency Function 18  
          that includes, but is not limited to, all of the following:
           methods for providing emergency services;
           command structure for statewide coordinated emergency  
            services;
           emergency service roles of appropriate state agencies;
           identification of resources to be mobilized;
           public information plans; and
           continuity of government services.

           This bill  requires OES, on or before January 1, 2018, in  
          conjunction with CalTech, to develop cybersecurity incident  
          response standards for state agencies to prepare for  
          cybersecurity interference with, or the compromise or  
          incapacitation of, critical infrastructure, and for the  
          development and transmission of critical infrastructure  
          information to OES.  In developing the standards, OES shall  
          consider all of the following:
           costs to implement the standards;
           security of critical infrastructure information;
           centralized management of risk; and
           national private industry best practices.

           This bill  requires each state agency to report on its compliance  
          with the above standards no later than January 1, 2019, and  
          directs OES, in conjunction with CalTech, to provide suggestions  
          for state agencies to improve compliance with the standards.   
          This bill specifies that the report and communications required  
          under this provision are confidential and shall not be disclosed  
          pursuant to any state law, including the California Public  







          AB 1841 (Irwin)
          Page 4 of ? 

          Records Act.

           This bill  makes related findings and declarations.
          
                                        COMMENT
           
           1.Stated need for the bill
           
          The author writes:

            The State Emergency Plan currently does not account for  
            cybersecurity risks imposed on the state and general public.   
            Despite years of effort to develop such planning, we have  
            failed to do so.  As cybersecurity attacks become more  
            frequent and sophisticated, we must integrate those  
            considerations into our relative emergency planning and  
            resource allocations.

            This bill requires the California Office of Emergency Services  
            in conjunction with the Department of Technology to transmit  
            to the Legislature, by July 1, 2017, a statewide emergency  
            services response plan for cybersecurity, and further requires  
            OES and [CalTech] to develop a comprehensive cybersecurity  
            strategy against critical infrastructure by January 1, 2018.



           2.Cyber threat to critical infrastructure
           
          With the development of digital technology, the owners and  
          operators of California's critical infrastructure - things like  
          power plants, water distribution systems, refineries, and  
          communications equipment - have largely replaced outdated analog  
          control systems with digital controls, often interconnected with  
          other systems through computer networks.  These updated control  
          systems simplify the management of critical infrastructure and  
          make it more productive.  Unfortunately, this same technology  
          also makes our infrastructure vulnerable to cyber attack.

          In recent years, critical infrastructure in the United States  
          has been subject to a number of attacks by cybercriminals,  
          including a 2014 incident where an overseas hacker gained access  
          to systems regulating the flow of natural gas.  These incidents  
          have prompted state and federal leaders to warn operators of  
          critical infrastructure of the need to bolster cyber defenses to  







          AB 1841 (Irwin)
          Page 5 of ? 

          protect against debilitating attacks that threaten our public  
          safety and economic well-being.  Indeed, just last year the  
          Governor declared that "cyber attacks aimed at breaching and  
          damaging computer networks and infrastructure in California  
          represent a major security risk and increase the state's  
          vulnerability to economic disruption, critical infrastructure  
          damage, privacy violations, and identity theft."  (See Executive  
          Order B-34-15 [August 31, 2015].)

          This bill would bolster California's critical infrastructure  
          cyber defenses by requiring OES and CalTech to create a cyber  
          security annex to the State Emergency Plan.  This annex, once  
          completed, would help the State plan for, and respond to, cyber  
          attacks against infrastructure - both publicly and privately  
          owned - that Californians rely on in their daily lives.  This  
          bill also directs state agencies to implement cybersecurity  
          incident response standards developed by OES and CalTech, which  
          will help agencies plan their responses to cyber attacks carried  
          out against their infrastructure and resources.  While the bill  
          lists several factors for OES and CalTech to consider in  
          developing these standards, the Committee may wish to add  
          "continuity of operations" to that list in light of the reliance  
          Californians place on information technology systems to transact  
          business with state agencies.

           3.Right to privacy and agency breaches
            
           California recognizes the right to privacy as a fundamental  
          right and has enshrined that right along with other fundamental  
          rights in article I, section 1 of the California Constitution.   
          The harm that can result from the theft of personal information  
          via a data breach threatens to undermine that fundamental right.  
           Unfortunately, because of the size of its economy and the sheer  
          number of its consumers, data held by California businesses and  
          government agencies is frequently targeted by cyber criminals.   
          The Attorney General's 2014 California Data Breach Report found  
          that in 2012, "17 percent of the data breaches recorded in the  
          United States took place in California - more than any other  
          state" and that "the number of reported breaches in California  
          increased by 28 percent in 2013."  (California Department of  
          Justice, California Data Breach Report (Oct. 2014)  
           [as of June 26, 2016].)  The frequency  
          of data breaches in California and the threat that such breaches  
          pose to California residents makes timely and effective response  







          AB 1841 (Irwin)
          Page 6 of ? 

          to a breach, and the ability to mitigate potential damages  
          resulting from the breach, matters of critical importance.

          Recent data breaches show that government agencies are just as  
          vulnerable as businesses to breaches that expose the personal  
          information of California residents.  In March of 2014, for  
          example, the California Department of Motor Vehicles reported  
          that its system for processing online credit card transactions  
          may have been breached, potentially compromising millions of  
          credit card numbers, expiration dates, and credit card security  
          codes.  (See Kate Mather and Carla Rivera, California DMV  
          Probing Possible Breach of Customer Credit Cards, Los Angeles  
          Times (Mar. 22, 2014)  
           [as of June 26, 2016].)  More recently, the  
          federal Office of Personnel Management suffered a massive data  
          breach that revealed the personal information -- and in some  
          cases the fingerprints -- of approximately 21.5 million  
          individuals, including many with secret-level security  
          clearances.  (See James Eng, OPM Hack: Government Finally Starts  
          Notifying 21.5 Million Victims, NBC News (Oct. 1, 2015)  
           [as of June 26, 2016].)
           
          When breaches do occur, a rapid and effective response is  
          crucial toward mitigating the impact to affected individuals.   
          This bill would assist state agencies in executing a rapid and  
          effective response in the wake of a breach or other cyber  
          incident by requiring these agencies to implement cybersecurity  
          incident response standards developed by OES and CalTech.   
          Having an effective response standard in place that, for  
          example, identifies needed resources and establishes protocols  
          for carrying out communications between participants, will speed  
          up an agency's ability to respond to an event.  However, given  
          the sensitive nature of some of the personal information held by  
          state agencies, and California's recognition of a constitutional  
          right to privacy, it is important that an agency's cybersecurity  
          response standard recognizes the need to protect sensitive  
          information from disclosure or compromise.  The Committee may,  
          therefore, wish to add "protection of personal information" to  
          the list of considerations guiding OES and CalTech in the  
          development of this standard.









          AB 1841 (Irwin)
          Page 7 of ? 

           Support  :  None Known

           Opposition  :  None Known



                                        HISTORY
           
           Source  :  Author

           Related Pending Legislation  :

          SB 949 (Jackson, 2016) would authorize the Governor to require  
          owners and operators of critical infrastructure to submit  
          critical infrastructure information to the Office of Emergency  
          Services, or any other designee, for the purposes of gathering,  
          analyzing, communicating, or disclosing critical infrastructure  
          information.  This bill is pending in the Senate Governmental  
          Organization Committee.

          SB 1444 (Hertzberg, 2016) would require state agencies that own  
          or license computerized data that includes personal information  
          to prepare a security plan that details the agency's strategy to  
          respond to a security breach of that information and its  
          associated consequences.  This bill is pending in the Assembly  
          Privacy and Consumer Protection Committee.

          AB 1346 (Gray, 2016) would, among other things require the  
          Office of Emergency Services to update the State Emergency Plan  
          on or before January 1, 2018, and every five years thereafter.   
          This bill is pending in the Senate Appropriations Committee.

          AB 739 (Irwin, 2015) would, until January 1, 2020, provide legal  
          immunity from civil or criminal liability for private entities  
          that communicate anonymized cyber security-threat information,  
          as specified.  This bill is pending in the Assembly Judiciary  
          Committee.

           Prior Legislation  :

          AB 670 (Irwin, Ch. 518, Stats. 2015) requires the Office of  
          Information Security, in consultation with the Office of  
          Emergency Services, to require no fewer than 35 independent  
          security assessments of state entities each year and determine  
          basic standards of services to be performed as part of that  







          AB 1841 (Irwin)
          Page 8 of ? 

          assessment.

           Prior Vote  :

          Senate Governmental Organization Committee (Ayes 12, Noes 0)
          Assembly Floor (Ayes 79, Noes 0)
          Assembly Appropriations Committee (Ayes 20, Noes 0)
          Assembly Governmental Organization Committee (Ayes 21, Noes 0)
          Assembly Privacy and Consumer Protection Committee (Ayes 11,  
          Noes 0)

                                   **************