BILL NUMBER: AB 1841INTRODUCED BILL TEXT INTRODUCED BY Assembly Member Irwin FEBRUARY 9, 2016 An act to add Article 6.4 (commencing with Section 8592.30) to Chapter 7 of Division 1 of Title 2 of the Government Code, relating to emergency services. LEGISLATIVE COUNSEL'S DIGEST AB 1841, as introduced, Irwin. Office of Emergency Services: duties: cybersecurity. (1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. This bill would require the Office of Emergency Services to develop and transmit to the Legislature a state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems, as defined. The bill would further require the office to develop a comprehensive cybersecurity strategy setting standards for state agencies, as defined, and private entities to prepare for cybersecurity attacks on critical infrastructure systems. The bill would require state agencies, and authorize private entities, to report its cybersecurity strategy to the office. The bill would require the office to provide suggestions for improvement to the cybersecurity strategy of a state agency, and authorize the office to do the same for a private entity, but only for purposes of protecting public health and safety. The bill would prohibit public disclosure of the office's state-wide emergency services response plan and the individual cybersecurity strategies of state agencies and private entities. (2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest. This bill would make legislative findings to that effect. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. The Legislature finds and declares all the following: (a) The current pervasive use of information technology in public and private enterprises has resulted in an abundance of public access to information and services provided by the government and businesses, but the increased interdependence on information technology systems has created a new type of risk for society. Cybersecurity threats to public and private critical infrastructure systems that use information technology within the state present risks to public health and safety and could severely disrupt private economic activity within California. (b) Ensuring sufficient preparations are taken to protect these critical infrastructure systems from attacks to cybersecurity are in the public interest and serve a public purpose. (c) A comprehensive cybersecurity strategy, undertaken in a coordinated effort between federal and state governments and private entities, will help prepare for cyberattacks on these critical infrastructure systems, thereby reducing the potential consequences from those attacks. (d) The Office of Emergency Services, in its role as the lead executive entity that coordinates state resources for emergency preparedness, response, and damage mitigation, is the proper state entity to develop, implement, and manage a comprehensive cybersecurity strategy, undertaken in a coordinated effort between federal and state governments and private entities, to protect these critical infrastructure systems from attacks to cybersecurity. The Office of Emergency Services is already developing the necessary expertise in cybersecurity through its current work developing methods to provide emergency services during a cyberattack. (e) It is the intent of the Legislature in enacting this legislation to develop a comprehensive cybersecurity strategy, undertaken in a coordinated effort between federal and state governments and private entities, to prepare California for cyberattacks on critical infrastructure systems under the unifying coordination of the Office of Emergency Services. SEC. 2. Article 6.4 (commencing with Section 8592.30) is added to Chapter 7 of Division 1 of Title 2 of the Government Code, to read: Article 6.4. Cybersecurity 8592.30. (a) For purposes of this article, "critical infrastructure systems" shall mean a public or private information technology system that services any of the following sectors: (1) Communications. (2) Emergency services. (3) Energy. (4) Financial Services. (5) Food and Agriculture. (6) Healthcare and public health. (7) Transportation systems. (8) Water and wastewater systems. (b) "Secretary" shall mean the secretary of each state agency as set forth in subdivision (a) of Section 12800. (c) "State agency" or "state agencies" shall have the same meaning as "state agency" as set forth in Section 11000. 8592.35. (a) On or before July 1, 2017, the office shall transmit to the Legislature a state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems that includes, but is not limited to, all of the following: (1) Methods for providing emergency services. (2) Command structure for state-wide coordinated emergency services. (3) Emergency service roles of appropriate state agencies. (4) Identification of resources to be mobilized. (5) Public information plans. (6) Continuity of government services. (b) Notwithstanding Section 9795, the office shall transmit the plan to the Legislature by providing a printed copy to the Secretary of the Senate and the Chief Clerk of the Assembly. 8592.40. (a) On or before July 1, 2018, the office shall develop a comprehensive cybersecurity strategy setting standards for state agencies and private entities to prepare for cybersecurity attacks on critical infrastructure systems. In developing the standards, the office shall consider all of the following: (1) Costs to implement the standards. (2) Regional business impacts. (3) National private industry best practices. (b) The office shall post the cybersecurity strategy on the Internet Web site of the office and transmit a copy to each secretary. 8592.45. (a) Each state agency shall transmit a cybersecurity strategy that meets the standards set forth in Section 8592.40 to the office in the manner and at the time directed by the office. (b) The office shall provide suggestions for improvement to the cybersecurity strategy of a state agency, if any, to the head of the state agency and the secretary responsible for the state agency. For a state agency that is not under the responsibility of a secretary, the office shall provide suggestions for improvement to a cybersecurity strategy, if any, to the head of the state agency and the Governor. 8592.50. (a) A private entity may transmit a cybersecurity strategy that meets the standards set forth in Section 8592.40 to the office. (b) The office shall review and provide suggestions for improvement, if any, to the cybersecurity strategy of a private entity for the purposes of protecting public health and safety, and shall not review or make suggestions to the cybersecurity strategy of a private entity solely for the private benefit of the private entity. 8592.55. (a) The plan required by Section 8592.35, a state agency cybersecurity strategy required by Section 8592.45, or a private entity cybersecurity strategy authorized by Section 8592.50 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). (b) The report to the Legislature required by Section 8592.35 shall not be subject to production pursuant to the Legislative Open Records Act (Article 3.5 (commencing with Section 9070) of Chapter 1.5 of Part 1 of Division 2). SEC. 3. The Legislature finds and declares that Section 2 of this act, which adds Section 8592.55 to the Government Code, imposes a limitation on the public's right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest: Preventing public disclosure of the Office of Emergency Services' state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems and the individual cybersecurity strategies of state agencies and private entities promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure systems within the state.