Bill Text

Bill Information


Bill PDF |Add To My Favorites | print page

AB-2355 School cybersecurity.(2021-2022)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 09/26/2022 09:00 PM
AB2355:v95#DOCUMENT

Assembly Bill No. 2355
CHAPTER 498

An act to add and repeal Article 8.5 (commencing with Section 35265) of Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, relating to school security.

[ Approved by Governor  September 23, 2022. Filed with Secretary of State  September 23, 2022. ]

LEGISLATIVE COUNSEL'S DIGEST


AB 2355, Salas. School cybersecurity.
Existing law prohibits a school district from permitting access to pupil records to a person without written parental consent or under judicial order except as authorized by specified state and federal law.
Existing law requires the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center with a primary mission to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in our state.
This bill would require a school district, county office of education, or charter school to report any cyberattack, as defined, impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center. By imposing new duties on local educational agencies, the bill would constitute a state-mandated local program. The bill would require the California Cybersecurity Integration Center to establish a database that tracks reports of cyberattacks submitted by local educational agencies and to annually, by January 1, submit a report to the Governor and the relevant policy committees of the Legislature with specified information related to cyberattacks or data breaches of local educational agencies.
This bill would repeal those provisions as of January 1, 2027.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: YES  

The people of the State of California do enact as follows:


SECTION 1.

 Article 8.5 (commencing with Section 35265) is added to Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, to read:
Article  8.5. Cybersecurity

35265.
 For purposes of this article, the following definitions apply:
(a) “California Cybersecurity Integration Center” or “Center” means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.
(b) “Cyberattack” means either of the following:
(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.
(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.
(c) “Local educational agency” means a school district, county office of education, or charter school.

35266.
 (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.
(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.
(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.
(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.

35267.
 This article shall remain in effect only until January 1, 2027, and as of that date is repealed.

SEC. 2.

 If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.