Today's Law As Amended


PDF |Add To My Favorites | print page

AB-1359 Cybersecurity: critical infrastructure business: breach notification.(2017-2018)



As Amends the Law Today


SECTION 1.

 Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read:

CHAPTER  7.1. Cybersecurity
8669.
 For purposes of this chapter, the following terms have the following meanings:
(a) “Breach of security” means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.
(b) “Critical infrastructure” means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
(c) “Critical infrastructure business” means a person or entity that conducts business in a critical infrastructure sector in California.
(d) “Critical infrastructure controls” has the same meaning as defined in subdivision (a) of Section 8592.30.
(e) “Critical infrastructure information” has the same meaning as defined in subdivision (b) of Section 8592.30.
(f) “Critical infrastructure sector” means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.
(g) “Office” means the Office of Emergency Services.
8669.1
 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.
(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section shall be deemed to be in compliance with the notification requirements of this section.
(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:
(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.
(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.
(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).
(f) Notwithstanding subdivision (a), a person or business that experiences a breach of security that only results in the loss of personal information, and that reports the breach to the Attorney General in compliance with subdivision (f) Section 1798.82 of the Civil Code, shall be deemed to be in compliance with the notification requirements of this section.
8669.2.
 This chapter shall become operative on January 1, 2019.
SEC. 2.
 The Legislature finds and declares that Section 1 of this act, which adds Section 8669 to the Government Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
Preventing public disclosure of cybersecurity preparations and critical infrastructure information promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.