BILL ANALYSIS                                                                                                                                                                                                    

                                                                    AB 2623

                                                                    Page  1

          Date of Hearing:  May 18, 2016


                               Lorena Gonzalez, Chair

          2623 (Gordon) - As Amended April 28, 2016

          |Policy       | Privacy and Consumer          |Vote:|11 - 0       |
          |Committee:   |Protection                     |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |
          |             |                               |     |             |

          Urgency:  No  State Mandated Local Program:  NoReimbursable:  No

          SUMMARY:  This bill requires state agencies and entities to  
          annually report their information security expenditures to the  
          California Department of Technology (CDT).  Specifically, this  

          1)Requires, on or before February 1, 2017, and annually  


                                                                    AB 2623

                                                                    Page  2

            thereafter, specified state agencies and state entities to  
            submit a summary of their actual and projected information  
            security costs, including the expenditure of federal grant  
            funds for information security purposes. 

          2)Requires CDT to develop and provide instructions and a format  
            for state agencies and entities to report their information  
            security costs.

          FISCAL EFFECT:

          1)Ongoing costs (GF/SF/FF) to various state agencies, likely  
            minor, to annually submit a summary report of information  
            security costs, including expenditures of federal grant funds.  
             The affected agencies currently submit similar reports on  
            other topics.

          2)One-time minor costs to CDT (GF) to develop the reporting  
            instructions and format to be used by state agencies.


          1)Purpose.  This bill is intended to increase state government  
            transparency in information security spending so that CDT can  
            better manage agency performance and resource allocation for  
            cybersecurity.  Existing law requires state agencies to  
            annually report their information technology and  
            telecommunications costs to CDT. This bill requires a similar  
            annual report for spending on information security costs.  The  
            standardized reporting created by this bill would give CDT a  
            valuable data set to better manage state agencies' spending on  
            cybersecurity, including the ability to make spending  
            comparisons between agencies and facilitate benchmarking with  
            other states, so that they can identify state entities that  


                                                                    AB 2623

                                                                    Page  3

            may be over or under-resourcing cybersecurity efforts or  
            misspending available funds.    

          2)Oversight Hearing. On February 24, 2016, the Assembly  
            Committee on Privacy and Consumer Protection held an oversight  
            hearing on California's Cybersecurity Strategy.  Part of that  
            hearing examined the findings of a 2015 California State  
            Auditor (Auditor) report entitled "High Risk Update -  
            Information Security." The Auditor found that "many state  
            entities have weaknesses in their controls over information  
            security.  These weaknesses leave some of the State's  
            sensitive data vulnerable to unauthorized use, disclosure, or  

            The Auditor explained that "CDT is responsible for ensuring  
            that state entities that are under the direct authority of the  
            governor maintain the confidentiality, integrity, and  
            availability of their information systems and protect the  
            privacy of the State's information."  However, it was revealed  
            during the hearing that the state's Office of Information  
            Security within CDT does not track information on how much  
            state agencies were actually spending on cybersecurity.

            This bill is intended to increase state government  
            transparency in information security spending so that CDT can  
            better manage agency performance and resource allocation for  

          3)Related legislation.  This is one of five  
            cybersecurity-related bills before this Committee today:

             a)   AB 1841 (Irwin) requires the state OES in conjunction  
               with the CDT to develop, by July 1, 2017, a statewide  
               emergency services response plan for cybersecurity attacks  


                                                                    AB 2623

                                                                    Page  4

               against critical infrastructure (EF 18), and would require  
               OES and CDT to develop a comprehensive cybersecurity  
               strategy by January 1, 2018, with which all state agencies  
               must report compliance by January 1, 2019.  

             b)    AB 1881 (Chang) requires the Director of CDT to develop  
               and update mandatory baseline security controls for state  
               networks based industry and national standards, and  
               annually measure the state's progress towards compliance.

             c)   AB 2595 (Linder) establishes the California  
               Cybersecurity Integration Center within the Office of  
               Emergency Services to develop a cybersecurity strategy for  
               California, and authorizes the administration of federal  
               homeland security grant funding by OES.

             d)   AB 2720 (Chau) authorizes the creation of a  
               Cybersecurity Vulnerability Reporting Reward Program that  
               would provide a monetary reward to eligible individuals who  
               identify and report previously unknown vulnerabilities in  
               state computer networks.

          1)Previous Legislation. AB 670 (Irwin), Chapter 518, Statutes of  
            2015, required CDT to conduct, or require to be conducted, no  
            fewer than 35 independent security assessments of state  
            agencies, departments or offices annually.   


                                                                    AB 2623

                                                                    Page  5

           Analysis Prepared by:Jennifer Swenson / APPR. / (916)