Code Section Group

Government Code - GOV

TITLE 2. GOVERNMENT OF THE STATE OF CALIFORNIA [8000 - 22980]

  ( Title 2 enacted by Stats. 1943, Ch. 134. )

DIVISION 1. GENERAL [8000 - 8899.24]

  ( Division 1 enacted by Stats. 1943, Ch. 134. )

CHAPTER 7. California Emergency Services Act [8550 - 8668]

  ( Chapter 7 added by Stats. 1970, Ch. 1454. )

ARTICLE 6.4. Cybersecurity [8592.30 - 8592.45]
  ( Article 6.4 added by Stats. 2016, Ch. 508, Sec. 2. )

8592.30.
  

As used in this article, the following definitions shall apply:

(a) “Critical infrastructure controls” means networks and systems controlling assets so vital to the state that the incapacity or destruction of those networks, systems, or assets would have a debilitating impact on public health, safety, economic security, or any combination thereof.

(b) “Critical infrastructure information” means information not customarily in the public domain pertaining to any of the following:

(1) Actual, potential, or threatened interference with, or an attack on, compromise of, or incapacitation of critical infrastructure controls by either physical or computer-based attack or other similar conduct, including, but not limited to, the misuse of, or unauthorized access to, all types of communications and data transmission systems, that violates federal, state, or local law or harms public health, safety, or economic security, or any combination thereof.

(2) The ability of critical infrastructure controls to resist any interference, compromise, or incapacitation, including, but not limited to, any planned or past assessment or estimate of the vulnerability of critical infrastructure.

(3) Any planned or past operational problem or solution regarding critical infrastructure controls, including, but not limited to, repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to interference, compromise, or incapacitation of critical infrastructure controls.

(c) “Department” means the Department of Technology.

(d) “Office” means the Office of Emergency Services.

(e) “Secretary” means the secretary of each state agency as set forth in subdivision (a) of Section 12800.

(f) “State agency” or “state agencies” means the same as “state agency” as set forth in Section 11000.

(Added by Stats. 2016, Ch. 508, Sec. 2. Effective January 1, 2017.)

8592.35.
  

(a) (1) On or before July 1, 2018, the department shall, in consultation with the office and compliance with Section 11549.3, update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.

(2) In updating the standards in paragraph (1), the department shall consider, but not be limited to considering, all of the following:

(A) Costs to implement the standards.

(B) Security of critical infrastructure information.

(C) Centralized management of risk.

(D) Industry best practices.

(E) Continuity of operations.

(F) Protection of personal information.

(b) Each state agency shall provide the department with a copy of its updated Technology Recovery Plan.

(Added by Stats. 2016, Ch. 508, Sec. 2. Effective January 1, 2017.)

8592.40.
  

(a) Each state agency shall report on its compliance with the standards updated pursuant to Section 8592.35 to the department in the manner and at the time directed by the department, but no later than July 1, 2019.

(b) The department, in conjunction with the office, may provide suggestions for a state agency to improve compliance with the standards developed pursuant to Section 8592.35, if any, to the head of the state agency and the secretary responsible for the state agency. For a state agency that is not under the responsibility of a secretary, the department shall provide any suggestions to the head of the state agency and the Governor.

(Added by Stats. 2016, Ch. 508, Sec. 2. Effective January 1, 2017.)

8592.45.
  

 The information required by subdivision (b) of Section 8592.35, the report required by subdivision (a) of Section 8592.40, and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (b) of Section 8592.40 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).

(Added by Stats. 2016, Ch. 508, Sec. 2. Effective January 1, 2017.)

GOVGovernment Code - GOV6.4.