Bill Text

PDF |Add To My Favorites |Track Bill | print page

AB-2225 State government: storing and recording: public records.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 09/19/2018 09:00 PM
AB2225:v93#DOCUMENT

Assembly Bill No. 2225
CHAPTER 535

An act to amend Section 12168.7 of the Government Code, relating to state government.

[ Approved by Governor  September 19, 2018. Filed with Secretary of State  September 19, 2018. ]

LEGISLATIVE COUNSEL'S DIGEST


AB 2225, Limón. State government: storing and recording: public records.
Existing law establishes the Department of Technology, under the supervision of the Director of Technology, to, among other things, establish and enforce state information technology strategic plans, policies, standards, and enterprise architecture.
Existing law requires the Secretary of State to approve and adopt appropriate standards established by the American National Standards Institute in order to ensure that uniform statewide standards for storing and recording permanent documents in electronic media remain current and relevant. Existing law requires those standards to include a requirement that a trusted system, as defined for purposes of these provisions and for purposes of provisions relating to the duties of county auditors, treasurers, and recorders, be utilized, and further specifies that a cloud computing storage service that complies with specified standards shall be considered a trusted system. Existing law specifies that, for purposes of those provisions, “cloud computing” is defined in a specified publication of the National Institute of Standards and Technology.
This bill would instead require the Secretary of State, in consultation with the Department of Technology, to approve and adopt appropriate uniform statewide standards, as specified, for the purpose of storing and recording public records, described as permanent and nonpermanent documents, in electronic media or in a cloud computing storage system. The bill would require a cloud computing storage service that complies with specified requirements that provide administrative users with controls to prevent stored public records from being overwritten, deleted, or altered to be considered a trusted system, and would require all public records stored or recorded in electronic media or in a cloud computing service by a state agency to comply with a trusted system as defined in the uniform statewide standards and as otherwise specified. The bill would require a trusted system using cloud computing storage service to comply with applicable standards articulated in the State Administrative Manual and the Statewide Information Management Manual. The bill would also require a state agency, prior to establishing an information technology system interconnection or data exchange with a local government entity or otherwise partnering with a local government entity for the development, use, or maintenance of an information technology system, product, or service to first enter into a written agreement with that local government entity for the purpose of establishing mutually agreeable terms that protect relevant public records.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) Use of cloud storage for any business operation is a benefit to the state and to local public entities.
(b) There is within the Government Operations Agency the Department of Technology under the supervision of the Director of Technology, who also serves as the State Chief Information Officer. The department is generally responsible for the approval and oversight of information technology projects by, among other things, consulting with state agencies during initial project planning to ensure that project proposals are based on well-defined programmatic needs.
(c) There is within the Department of Technology the Office of Information Security, under the supervision of the Chief of the Office of Information Security. The office provides direction for information security and privacy to state government agencies.

SEC. 2.

 Section 12168.7 of the Government Code is amended to read:

12168.7.
 (a) The Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording public records in electronic media or in a cloud computing storage service.
(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State, in consultation with the Department of Technology, shall approve and adopt appropriate uniform statewide standards by using standards that are accredited by the American National Standards Institute or other applicable industry-recognized standards making body, including the International Organization for Standardization TR 15801:2017 or successor standard, for storing and recording public records in electronic media or in a cloud computing storage service.
(c) (1) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, “trusted system” means a combination of technologies, policies, and procedures for which there is no plausible scenario in which a public record retrieved from or reproduced by the system could differ substantially from the public record that is originally stored.
(2) For a state agency that stores and records public records pursuant to this section, the uniform statewide standards specified in subdivision (b) shall include a definition of “trusted system” that combines the various elements of trusted systems specified in this section.
(d) (1) A cloud computing storage service that complies with International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry-recognized standards relating to techniques and information security management, and that provides administrative users with controls to prevent stored public records from being overwritten, deleted, or altered, shall be considered a trusted system.
(2) Notwithstanding paragraph (1), all public records stored or recorded in electronic media or in a cloud computing service by a state agency shall comply with a trusted system as defined in the uniform statewide standards adopted pursuant to subdivision (b).
(e) A trusted system using cloud computing storage service shall also comply with applicable standards articulated in the State Administrative Manual and the Statewide Information Management Manual. This requirement applies to state agencies and does not apply to local government entities, except to local government entities that have a system interconnection or data exchange with a state agency, or that contract with a state agency, for the development, use, or maintenance of an information system, product, solution, or service.
(f) (1) A state agency, prior to establishing an information technology system interconnection or data exchange with a local government entity or otherwise partnering with a local government entity for the development, use, or maintenance of an information technology system, product, or service, shall first enter into a written agreement with that local government entity for the purpose of establishing mutually agreeable terms that protect relevant public records.
(2) The requirements of paragraph (1) shall apply prospectively, after the effective date of this subdivision, to new agreements of the types specified and to existing agreements of the types specified when they are considered for renewal.
(g) For the purposes of this section, the following definitions shall apply:
(1) “Cloud computing” has the same definition as the term is defined by the National Institute of Standards and Technology Special Publication 800-145, or a successor publication, and includes the service and deployment models referenced therein.
(2) “Public records” includes permanent and nonpermanent documents.
(3) “State agency” has the same meaning as that term is defined in Section 11000.
(h) The Secretary of State shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute for recording of public records or any other applicable and comparable industry standard.
(i) Nothing in this section shall prohibit a local government entity from adopting applicable standards articulated in the Secretary of State’s uniform statewide standards for Trustworthy Electronic Document or Record Preservation, the State Administrative Manual, or the Statewide Information Management Manual for purposes of utilizing a trusted system as defined in subdivision (c).