BILL ANALYSIS �
------------------------------------------------------------
|fSENATE RULES COMMITTEE | AB 2091|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
THIRD READING
Bill No: AB 2091
Author: Conway (R)
Amended: 6/29/10 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE : 4-0, 6/22/10
AYES: Corbett, Harman, Hancock, Leno
NO VOTE RECORDED: Walters
ASSEMBLY FLOOR : 76-0, 5/13/10 (Consent) - See last page
for vote
SUBJECT : Public records: information security
SOURCE : Office of the State Chief Information Officer
DIGEST : This bill exempts from disclosure under the
California Public Records Act information security records
that would reveal vulnerabilities of an information
technology system or increase the potential for cyber
attacks.
ANALYSIS : Existing law, the California Public Records
Act (CPRA), requires state and local agencies to make
public records available upon receipt of a request that
reasonably describes an identifiable record not otherwise
exempt from disclosure. (Section 6253 of the Government
Code [GOV])
Existing law defines a state agency as every state office,
CONTINUED
�
AB 2091
Page
2
officer, department, division, bureau, board, and
commission or other state body or agency, except those
agencies provided for in Article IV (except Section 20
thereof) or Article VI of the California Constitution.
(GOV Section 6252(f))
Existing law exempts from public disclosure records of
intelligence information or security procedures of various
state agencies, as specified. (GOV Section 6254(f))
Existing law exempts from public disclosure documents
prepared by or for a state or local agency that assess
vulnerability to terrorist attack or other criminal acts
intended to disrupt that public agency's operations. (GOV
Section 6254(aa))
Existing law entrusts the Office of the State Chief
Information Officer (OSCIO) with the task of establishing
and enforcing state information technology strategic plans,
policies, standards, and enterprise architecture. (GOV
Section 11545(b)(6))
Existing law requires the OSCIO to prepare an annual
information technology strategic plan that shall guide the
acquisition, management, and use of information technology.
(GOV Section 11545(c))
This bill provides that nothing in the CPRA shall be
construed to require the disclosure of an information
security record of a public agency, if, on the facts of the
particular case, disclosure of that record would reveal
vulnerabilities to, or otherwise increase the potential for
an attack on, an information technology system of a public
agency. Nothing in this bill shall be construed to limit
public disclosure of records stored within an information
technology system of a public agency that are not otherwise
exempt from disclosure pursuant to the provisions of the
CPRA or any other provision of law.
FISCAL EFFECT : Appropriation: No Fiscal Com.: No
Local: No
SUPPORT : (Verified 6/29/10)
�
AB 2091
Page
3
Office of the State Chief Information Officer (source)
California State Association of Counties
Desert Water Agency
East Valley Water District
El Dorado Irrigation District
ARGUMENTS IN SUPPORT : The California State Association
of Counties argues in support of the bill as follows:
"[T]he [C]PRA expressly exempts certain types of records
from disclosure. Exemptions previously granted involve
sensitive documents such as those including confidential
medical information and assessments of a public agency's
physical security threats. AB 2091 would establish
Government Code Section 6254.19 making specified
information security documents and information exempt
from required disclosure.
"Counties believe this narrow exemption makes sense.
Public entities' reliance on information technology to
manage its operations and work efficiently is, obviously,
very extensive. Public agencies' ability to make use of
technological advances and tools should not be hindered
by fears that they could be required to turn over
sensitive information[,] security documentation or files.
AB 2091 would merely build upon previously approved
exemptions in the [C]PRA where a compelling argument can
be made that the public benefit of keeping certain
matters confidential exceeds the benefit of disclosing
that information. Divulging specific information about
local and/or state agencies' information systems - such
as those items covered by the bill (security plans, risk
assessments, incident reports, audits, and disaster
recovery plans) - presents far too many risks.
Unfortunately, the growth of information technology also
brings with it increased opportunities for hacking and
other illegal activities. AB 2091 would simply create a
narrow exception within the [C]PRA, which would provide
public agencies with needed protection from the risk of
security breaches and nefarious use of sensitive
information."
�
AB 2091
Page
4
ASSEMBLY FLOOR :
AYES: Adams, Ammiano, Anderson, Arambula, Bass, Beall,
Bill Berryhill, Tom Berryhill, Blakeslee, Block,
Blumenfield, Bradford, Brownley, Buchanan, Charles
Calderon, Carter, Chesbro, Conway, Cook, Coto, Davis, De
La Torre, De Leon, DeVore, Emmerson, Eng, Evans, Feuer,
Fletcher, Fong, Fuentes, Fuller, Furutani, Gaines,
Galgiani, Garrick, Gilmore, Hagman, Hall, Harkey,
Hayashi, Hernandez, Hill, Huber, Huffman, Jeffries,
Jones, Knight, Lieu, Logue, Bonnie Lowenthal, Ma,
Mendoza, Miller, Monning, Nava, Nestande, Niello,
Nielsen, V. Manuel Perez, Portantino, Ruskin, Salas,
Saldana, Silva, Smyth, Solorio, Audra Strickland,
Swanson, Torlakson, Torres, Torrico, Tran, Villines,
Yamada, John A. Perez
NO VOTE RECORDED: Caballero, Norby, Skinner, Vacancy
RJG:mw 6/29/10 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****