Compare Versions


PDF |Add To My Favorites | print page

AB-1359 Cybersecurity: critical infrastructure business: breach notification.(2017-2018)



Current Version: 04/27/17 - Amended Assembly Compare Versions information image


AB1359:v97#DOCUMENT

Amended  IN  Assembly  April 27, 2017
Amended  IN  Assembly  April 17, 2017

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill
No. 1359

Introduced by Assembly Member Chau

February 17, 2017

An act to add Chapter 7.1 (commencing with Section 8669) to Division 1 of Title 2 of the Government Code, relating to information security.


LEGISLATIVE COUNSEL'S DIGEST


AB 1359, as amended, Chau. Cybersecurity: critical infrastructure business: breach notification.
(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the Chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.
Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person where if the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.
This bill would require, on or after January 1, 2019, a critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to also disclose that breach to the Office of Emergency Services. Services, as specified. The bill would deem a critical infrastructure business to be in compliance with this requirement with respect to a breach if it complies with specified requirements related to disclosing that breach to the multistate information sharing and analysis center. The bill would require a critical infrastructure business to disclose breaches in a form and manner provided by the office, and without unreasonable delay, except as provided. The bill would otherwise prohibit public disclosure of the information and reports required by its provisions.
(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read:
CHAPTER  7.1. Cybersecurity

8669.
 For purposes of this chapter, the following terms have the following meanings:
(a) “Breach of security” means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.
(b) “Critical infrastructure” means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
(c) “Critical infrastructure business” means a person or entity that conducts business in a critical infrastructure sector in California.
(d) “Critical infrastructure controls” has the same meaning as defined in subdivision (a) of Section 8592.30.
(e) “Critical infrastructure information” has the same meaning as defined in subdivision (b) of Section 8592.30.
(f) “Critical infrastructure sector” means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.
(g) “Office” means the Office of Emergency Services.

8669.1
 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.
(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, section shall be deemed to be in compliance with the notification requirements of this section.
(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:
(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.
(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.
(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).
(f) Notwithstanding subdivision (a), a person or business that experiences a breach of security that only results in the loss of personal information, and that reports the breach to the Attorney General in compliance with subdivision (f) Section 1798.82 of the Civil Code, shall be deemed to be in compliance with the notification requirements of this section.

8669.2.
 This chapter shall become operative on January 1, 2019.

SEC. 2.

 The Legislature finds and declares that Section 1 of this act, which adds Section 8669 to the Government Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
Preventing public disclosure of the cybersecurity preparations and critical infrastructure information promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.