BILL ANALYSIS                                                                                                                                                                                                    ”

                                                                    AB 2623

                                                                    Page  1


          2623 (Gordon and Irwin)

          As Amended  April 28, 2016

          Majority vote

          |Committee       |Votes|Ayes                  |Noes                |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |Privacy         |11-0 |Chau, Wilk, Baker,    |                    |
          |                |     |Calderon, Chang,      |                    |
          |                |     |Cooper, Dababneh,     |                    |
          |                |     |Gatto, Gordon, Low,   |                    |
          |                |     |Olsen                 |                    |
          |                |     |                      |                    |
          |Appropriations  |20-0 |Gonzalez, Bigelow,    |                    |
          |                |     |Bloom, Bonilla,       |                    |
          |                |     |Bonta, Calderon,      |                    |
          |                |     |Chang, Daly, Eggman,  |                    |
          |                |     |Gallagher, Eduardo    |                    |
          |                |     |Garcia, Roger         |                    |
          |                |     |HernŠndez, Holden,    |                    |
          |                |     |Jones, Obernolte,     |                    |
          |                |     |Quirk, Santiago,      |                    |
          |                |     |Wagner, Weber, Wood   |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |


                                                                    AB 2623

                                                                    Page  2

          SUMMARY:  Requires state agencies and entities to report their  
          information security expenditures on an annual basis to the  
          California Department of Technology (CDT).  Specifically, this  

          1)Requires, on or before February 1, 2017, and annually  
            thereafter, specified state agencies and entities to submit a  
            summary of their actual and projected information security  
            costs, including personnel, for the immediately preceding  
            fiscal year and current fiscal year, showing current expenses  
            and projected expenses for the current fiscal year in order to  
            capture statewide information security expenditures, including  
            the expenditure of federal grant funds for information  
            security purposes. 
          2)Requires CDT to develop and provide instructions and a format  
            for state agencies and entities to report their information  
            security costs.

          3)Makes other technical and nonsubstantive amendments.

          FISCAL EFFECT:  According to the Assembly Appropriations  

          1)Ongoing costs (General Fund/SF/FF) to various state agencies,  
            likely minor, to annually submit a summary report of  
            information security costs, including expenditures of federal  
            grant funds.  The affected agencies currently submit similar  
            reports on other topics.

          2)One-time minor costs to CDT (General Fund) to develop the  
            reporting instructions and format to be used by state  


                                                                    AB 2623

                                                                    Page  3


          1)Purpose of this bill.  This bill is intended to increase state  
            government transparency in information security spending so  
            that CDT, the Governor's Office and the Legislature can better  
            manage agency performance and resource allocation for  
            cybersecurity.  This bill is author-sponsored.  

          2)Questions regarding state oversight of cybersecurity.  On  
            February 24, 2016, the Assembly Privacy and Consumer  
            Protection Committee and the Select Committee on Cybersecurity  
            held a joint oversight hearing on California's Cybersecurity  
            Strategy.  Part of that hearing examined the findings of a  
            2015 California State Auditor (Auditor) report entitled "High  
            Risk Update - Information Security" (Report 2015-611).  The  
            Auditor found that "many state entities have weaknesses in  
            their controls over information security.  These weaknesses  
            leave some of the State's sensitive data vulnerable to  
            unauthorized use, disclosure, or disruption."

            The Auditor explained that "[CDT] is responsible for ensuring  
            that state entities that are under the direct authority of the  
            governor maintain the confidentiality, integrity, and  
            availability of their information systems and protect the  
            privacy of the State's information."  However, when the Chief  
            Information Security Officer (CISO) within CDT was asked  
            during the hearing to explain how much state agencies were  
            actually spending on cybersecurity, the CISO revealed that her  
            office did not know or track this information.  

            This information is important to effective oversight and  
            management of cybersecurity, as well as benchmarking against  
            other agencies and states.  A July 2015 article in Government  


                                                                    AB 2623

                                                                    Page  4

            Technology magazine entitled "4 Critical Challenges to State  
            and Local Government Cybersecurity Efforts (Industry  
            Perspective)," notes that cybersecurity has become the number  
            one strategic information technology priority for state and  
            local government agencies.  The article also noted that: "The  
            typical state or local government agency spends less than 5%  
            of its IT [information technology] budget on cybersecurity,  
            compared to over 10% in the typical commercial enterprise."

          3)Questions regarding the use of homeland security funds.   
            Tracking state spending on cybersecurity is complicated by the  
            fact that some of the expended funds come to the state in the  
            form of federal grants.  According to the government  
            information Web site, "California has been the  
            recipient of at least $1.9 billion worth of major  
            anti-terrorism grants from Washington, D.C. since the  
            September 11, 2001, attacks, and a succession of reports by  
            the federal government indicate the money hasn't always been  
            spent wisely.  While a U.S. [United States] Department of  
            Homeland Security report released in February 2011 found the  
            state generally 'did an efficient and effective job of  
            administering the program requirements, distributing grant  
            funds, and ensuring that all of the available funds were  
            used,' its inspector general also listed a series of costly  
            missteps."  This bill would require federal funds used for  
            information security purposes to be included in the annual  
            report to CDT.   

          4)This bill in practice.  This bill would mirror an existing  
            requirement for state agencies to annually report their  
            information technology and telecommunications costs to CDT, by  
            requiring a similar annual report for spending on information  
            security costs.  CDT would be responsible for developing  
            instructions and a format for those reports, and would have  
            the flexibility to determine the accounting methodology used  
            to collect the data.    


                                                                    AB 2623

                                                                    Page  5

          Analysis Prepared by:                                             
                          Hank Dempsey / P. & C.P. / (916) 319-2200  FN: