BILL ANALYSIS �
AB 2091
Page 1
Date of Hearing: May 5, 2010
ASSEMBLY COMMITTEE ON GOVERNMENTAL ORGANIZATION
Joe Coto, Chair
AB 2091 (Conway) - As Introduced: February 18, 2010
SUBJECT : Public records: information security
SUMMARY : Exempts the information security reports of a state
agency from the California Public Records Act (Act).
Specifically, this bill :
1)Exempts from disclosure the records of a public agency
relating to information security and the investigatory or
security files compiled by a public agency for information
security purposes.
2)Adds a section that clarifies that nothing in this bill shall
be construed to require the disclosure of a public agency's
records relating to information security, including, but not
limited to, all of the following:
a) Information security plans.
b) Information security risk assessments.
c) Information security audit and evaluation reports.
d) Information security incident reports.
e) Disaster recovery plans.
f) Records relating to the information security program
established pursuant to Government Code Section 11549.3,
relating to information technology and the creation,
updating, and publishing of information security and
privacy policies, standards and procedures for state
agencies in the State Administrative Manual.
3)Makes legislative findings and declarations relating to
information security.
EXISTING LAW :
1)Establishes the California Public Records Act and requires
�
AB 2091
Page 2
state and local agencies to make their records available for
public inspection and to make copies available upon request
and payment of a fee unless those records are exempt from
disclosure.
a) Exempts investigatory or security files compiled by a
public agency, as defined, for correctional, law
enforcement, or licensing purposes.
2)Requires, under Section 3 of Article I of the California
Constitution, a statute which limits the public's right of
access to information concerning the public's business to be
adopted with findings demonstrating the interest protected and
the need for protecting that interest.
3)Provides the people, under Section 3 of Article I of the
California Constitution, to have the right to instruct their
representatives, petition government for redress of
grievances, and assemble freely to consult for the common
good.
FISCAL EFFECT : This bill is keyed non-fiscal.
COMMENTS : This bill is intended to provide a specific
exemption from disclosure under the Act to protect California
residents from information security breaches.
Background . According to the author, the information security
reports proscribed into this bill contain highly sensitive
documentation. Author adds that this information is to be
stored securely with access limited to only authorized
personnel, and protected at all times.
These reports identify the types of systems relied upon by the
state, the known risks and vulnerabilities of those types of
systems and the state's mitigation strategy. Through this
loophole, most of the record would require redaction - to the
extent of rendering the information useless to the requestor.
This bill seeks to address this problem by exempting the
information security reports of a state agency from the Act.
In support . OCIO supports this bill because they believe that
it will "clearly codify information security documents as
exempt?"
�
AB 2091
Page 3
In an April 30, 2010 letter, OCIO explains their support for
this bill based on the following: "As the office continues to
provide strategic direction to the state's departments and
agencies, detailed documentation of the [state] system's
infrastructure will be compiled and reviewed by OCIO."
OCIO further states that, "California Government Code Section
6254 (aa) already allows for a "document prepared by or for a
state or local agency that assesses its vulnerability to
terrorist attack or other criminal acts intended to disrupt the
public agency's operations" to be exempted from public
disclosure."
Related legislation . AB 1682 (Torres, 2009-2010 Legislative
Session) authorizes city and county governing bodies to
authorize their sheriffs and police chiefs to establish a
procedure to protect the confidential personal information of a
victim or alleged victim of a crime. Passed the Assembly
Governmental Organization Committee on April 21, 2010. In
Assembly Public Safety Committee.
AB 2220 (Silva, 2009-2010 Legislative Session) designates
regional centers as a local agency and requires them to be
subject to the California Public Records Act. Passed the
Assembly Governmental Organization Committee on April 21, 2010.
In Assembly Appropriations Committee.
SB 330 (Yee, 2009-2010 Legislative Session) redefines auxiliary
organizations of the California State University, California
Community Colleges, and the University of California as a "local
agency" and a "state agency" under the California Public Records
Act. In Assembly Higher Education.
SB 218 (Yee, 2009-2010 Legislative Session) redefines auxiliary
organizations of the California State University, California
Community Colleges, and the University of California as a "local
agency" and a "state agency" under the California Public Records
Act. Vetoed by the Governor on October 11, 2009.
Prior legislation . SB 359 (Romero, Chapter 584, Statutes of
2009) updates the statute within the California Public Records
Act that contains an alphabetical list of records that are
exempt from disclosure. This law also requires that a standing
committee of the Legislature introduce a bill at the beginning
of each two-year session that updates this alphabetical list of
�
AB 2091
Page 4
records exempt from disclosure under the California Public
Records Act.
SB 1832 (Kehoe, 2005-2006 Legislative Session) provides that a
state agency shall not charge a fee for a copy of a public
record that it is required to disclose if disclosure of the
record is in the public interest because it is likely to
contribute to the public understanding of the operations or
activities of the government and not primarily in the commercial
interest of the requester. Referred to the Senate Judiciary
Committee. Never heard in Committee.
AB 1209 (Nakano, Chapter 8, Statutes of 2004) extends the
California Public Records Act exemptions to records prepared for
state or local public agencies that assess vulnerability to
terrorist attacks and emergency response plans prepared to
address those assessments. This law adds to those law
enforcement records that are exempt from the California Public
Records Act, customer lists that are provided by an alarm or
security company to a state or local police agency at the
request of the agency.
AB 1933 (Pacheco, Chapter 937, Statutes of 2004) clarifies an
existing prohibition on obtaining addresses from crime reports
for marketing purposes by specifying that such information may
not be obtained and shared with another person or entity for
marketing purposes.
AB 2714 (Spitzer, 2003-2004 Legislative Session) repeals the
Legislative Open Records Act and makes the Legislature subject
to the California Public Records Act. Referred to the Assembly
Governmental Organization Committee. Never heard in Committee.
REGISTERED SUPPORT / OPPOSITION :
Support
Office of the Chief State Information Officer (Sponsor)
Opposition
None on file
Analysis Prepared by : Rod Brewer / G. O. / (916) 319-2531