BILL NUMBER: AB 2720 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY MARCH 17, 2016
INTRODUCED BY Assembly Member Chau
FEBRUARY 19, 2016
An act to add Section 11549.41 to the Government Code, relating to
state government technology.
LEGISLATIVE COUNSEL'S DIGEST
AB 2720, as amended, Chau. State government: Office of Information
Security: cybersecurity vulnerability reporting.
Existing law establishes the Office of Information Security in the
Department of Technology, the purpose of which is to ensure the
confidentiality, integrity, and availability of state systems and
applications.
This bill would authorize the office to establish a Cybersecurity
Vulnerability Reporting Reward Program for the purpose of soliciting
eligible individuals to identify and report previously unknown
vulnerabilities in state computer networks and making a monetary
award for an eligible report, subject to appropriation of sufficient
funds by the Legislature. The bill would require the office to
develop policies, standards, and procedures for the administration of
the program, including eligibility and award criteria. The bill
would specify that the minimum award shall be $100, and the maximum
award shall be $5,000. The bill would prohibit an individual from
receiving an award unless he or she, among other things, has not
attempted to access another person's data, or otherwise has not
engaged in any unlawful, disruptive, or damaging activity in the
course of investigating the existence of the suspected vulnerability
and is not a state employee or contractor, or the spouse or immediate
family member of a state employee or contractor.
Existing law establishes the Office of Information Security in the
Department of Technology, the purpose of which is to ensure the
confidentiality, integrity, and availability of state systems and
applications.
This bill would authorize the office to establish a Cybersecurity
Vulnerability Reporting Reward Program for the purpose of soliciting
eligible individuals to identify and report previously unknown
vulnerabilities in state computer networks and making a monetary
award for an eligible report, subject to appropriation of sufficient
funds by the Legislature.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 11549.41 is added to the
Government Code , immediately following Section
11549.4 , to read:
11549.41. (a) The office, subject to appropriation of sufficient
funds by the Legislature, may establish a Cybersecurity Vulnerability
Reporting Reward Program for the purpose of soliciting eligible
individuals to identify and report previously unknown vulnerabilities
in state computer networks and making a monetary award for an
eligible report.
(b) The chief shall have sole discretion, subject to this section,
to determine the eligibility of a reported vulnerability and of the
individual reporting the vulnerability, and whether to make an award,
and, if so, in what amount.
(c) The office shall develop policies, standards, and procedures
for the administration of the program, including eligibility and
award criteria, subject to the following requirements:
(1) The policies, standards, and procedures shall specify all of
the following:
(A) That the priority of the program is to identify
vulnerabilities in state networks that could compromise the integrity
of user data, circumvent the privacy protections in use to protect
user data, or enable unauthorized access to state networks or
infrastructure.
(B) Which state agencies and departments are included in the
program.
(C) Qualifying and nonqualifying vulnerabilities.
(D) That the minimum award for a qualifying vulnerability shall be
one hundred dollars ($100), and the maximum award shall be five
thousand dollars ($5,000).
(E) That the determination of the amount of an award made within
the range established by subparagraph (D) shall be solely at the
discretion of the chief, based upon the sensitivity of the reported
vulnerability, the specificity of the report, and any other factor
that the chief may deem to be relevant.
(2) A vulnerability report may be eligible for an award only if
both of the following requirements are met:
(A) The vulnerability was not previously known or reported to the
office.
(B) The report contained all necessary information and is in the
required format, as specified by the office.
(3) An individual may receive an award for submitting an eligible
vulnerability report only if all of the following requirements are
met:
(A) He or she has not attempted to access another person's data,
or otherwise has not engaged in any unlawful, disruptive, or damaging
activity in the course of investigating the existence of the
suspected vulnerability.
(B) He or she is not on any federal sanctions list, or located in
a country that is on any federal sanctions list.
(C) He or she submits a vulnerability report that includes, but is
not limited to, a description of the vulnerability, the specific
risks involved, and at least one valid description of the
circumstances under which the vulnerability could be exploited.
(D) He or she is not a state employee or contractor, or the spouse
or immediate family member of a state employee or contractor.
(E) He or she does not knowingly make any false, fictitious, or
fraudulent statements or representations to the office when
submitting information under this section, or knowingly include any
false, fictitious, or fraudulent writing, document, statement, or
entry therein.
(d) Nothing in this section shall be construed to authorize or
immunize the violation of law or agreement in any way, or to
otherwise disrupt, damage, or compromise the data or systems of
another person.
(e) Any reward that remains unclaimed after a period of 12 months
shall be deposited into the General Fund.
SECTION 1. Section 11549.41 is added to the
Government Code, to read:
11549.41. The office, subject to appropriation of sufficient
funds by the Legislature, is authorized to establish a Cybersecurity
Vulnerability Reporting Reward Program for the purpose of soliciting
eligible individuals to identify and report previously unknown
vulnerabilities in state computer networks and making a monetary
award for an eligible report.