BILL ANALYSIS Ó AB 2623 Page 1 Date of Hearing: May 18, 2016 ASSEMBLY COMMITTEE ON APPROPRIATIONS Lorena Gonzalez, Chair AB 2623 (Gordon) - As Amended April 28, 2016 ----------------------------------------------------------------- |Policy | Privacy and Consumer |Vote:|11 - 0 | |Committee: |Protection | | | | | | | | | | | | | |-------------+-------------------------------+-----+-------------| | | | | | | | | | | | | | | | |-------------+-------------------------------+-----+-------------| | | | | | | | | | | | | | | | ----------------------------------------------------------------- Urgency: No State Mandated Local Program: NoReimbursable: No SUMMARY: This bill requires state agencies and entities to annually report their information security expenditures to the California Department of Technology (CDT). Specifically, this bill: 1)Requires, on or before February 1, 2017, and annually AB 2623 Page 2 thereafter, specified state agencies and state entities to submit a summary of their actual and projected information security costs, including the expenditure of federal grant funds for information security purposes. 2)Requires CDT to develop and provide instructions and a format for state agencies and entities to report their information security costs. FISCAL EFFECT: 1)Ongoing costs (GF/SF/FF) to various state agencies, likely minor, to annually submit a summary report of information security costs, including expenditures of federal grant funds. The affected agencies currently submit similar reports on other topics. 2)One-time minor costs to CDT (GF) to develop the reporting instructions and format to be used by state agencies. COMMENTS: 1)Purpose. This bill is intended to increase state government transparency in information security spending so that CDT can better manage agency performance and resource allocation for cybersecurity. Existing law requires state agencies to annually report their information technology and telecommunications costs to CDT. This bill requires a similar annual report for spending on information security costs. The standardized reporting created by this bill would give CDT a valuable data set to better manage state agencies' spending on cybersecurity, including the ability to make spending comparisons between agencies and facilitate benchmarking with other states, so that they can identify state entities that AB 2623 Page 3 may be over or under-resourcing cybersecurity efforts or misspending available funds. 2)Oversight Hearing. On February 24, 2016, the Assembly Committee on Privacy and Consumer Protection held an oversight hearing on California's Cybersecurity Strategy. Part of that hearing examined the findings of a 2015 California State Auditor (Auditor) report entitled "High Risk Update - Information Security." The Auditor found that "many state entities have weaknesses in their controls over information security. These weaknesses leave some of the State's sensitive data vulnerable to unauthorized use, disclosure, or disruption." The Auditor explained that "CDT is responsible for ensuring that state entities that are under the direct authority of the governor maintain the confidentiality, integrity, and availability of their information systems and protect the privacy of the State's information." However, it was revealed during the hearing that the state's Office of Information Security within CDT does not track information on how much state agencies were actually spending on cybersecurity. This bill is intended to increase state government transparency in information security spending so that CDT can better manage agency performance and resource allocation for cybersecurity. 3)Related legislation. This is one of five cybersecurity-related bills before this Committee today: a) AB 1841 (Irwin) requires the state OES in conjunction with the CDT to develop, by July 1, 2017, a statewide emergency services response plan for cybersecurity attacks AB 2623 Page 4 against critical infrastructure (EF 18), and would require OES and CDT to develop a comprehensive cybersecurity strategy by January 1, 2018, with which all state agencies must report compliance by January 1, 2019. b) AB 1881 (Chang) requires the Director of CDT to develop and update mandatory baseline security controls for state networks based industry and national standards, and annually measure the state's progress towards compliance. c) AB 2595 (Linder) establishes the California Cybersecurity Integration Center within the Office of Emergency Services to develop a cybersecurity strategy for California, and authorizes the administration of federal homeland security grant funding by OES. d) AB 2720 (Chau) authorizes the creation of a Cybersecurity Vulnerability Reporting Reward Program that would provide a monetary reward to eligible individuals who identify and report previously unknown vulnerabilities in state computer networks. 1)Previous Legislation. AB 670 (Irwin), Chapter 518, Statutes of 2015, required CDT to conduct, or require to be conducted, no fewer than 35 independent security assessments of state agencies, departments or offices annually. AB 2623 Page 5 Analysis Prepared by:Jennifer Swenson / APPR. / (916) 319-2081