BILL NUMBER: AB 1841AMENDED BILL TEXT AMENDED IN ASSEMBLY MARCH 28, 2016 INTRODUCED BY Assembly Member Irwin FEBRUARY 9, 2016 An act to add Article 6.4 (commencing with Section 8592.30) to Chapter 7 of Division 1 of Title 2 of the Government Code, relating to emergency services. LEGISLATIVE COUNSEL'S DIGEST AB 1841, as amended, Irwin. Office of Emergency Services: duties: cybersecurity. (1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. This bill would require the Office of Emergency Services todevelop andtransmit to theLegislature a state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems, as defined.Legislature, on or before July 1, 2017, the Cyber Security Annex to the State Emergency Plan, also known as Emergency Function 18 or EF 18. The bill would further require the office to develop a comprehensive cybersecurity strategy setting standards for state agencies, as defined,and private entities toto, among other things, prepare for cybersecurityattacks oninterference with, or the compromise or incapacitation of, critical infrastructuresystems. The billand would require stateagencies, and authorize private entities,agencies to report itscybersecurity strategycompliance with these standards to the office. The bill would require the office to provide suggestions forimprovement to the cybersecurity strategy of a state agency, and authorize the office to do the same for a private entity, but only for purposes of protecting public health and safety.a state agency to improve compliance with these standards. The bill would prohibit public disclosure ofthe office's state-wide emergency services response plan andpublic records relating to theindividualcybersecurity strategies of stateagencies and private entities.agencies, as specified. (2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest. This bill would make legislative findings to that effect. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. The Legislature finds and declares all the following: (a) The current pervasive use of information technology in publicand privateenterprises has resulted in an abundance of public access to information and services provided by thegovernment and businesses,government, but the increased interdependenceonof information technology systems has created a new type of risk for society.Cybersecurity threatsThreats to publicand privatecritical infrastructuresystemsthat use information technology within the state present risks to public health and safety and could severely disruptprivateeconomic activity within California. (b) Ensuring sufficient preparations are taken to protectthesecritical infrastructuresystemsfromattacks to cybersecurityinterference, compromise, or incapacitation are in the public interest and serve a public purpose. (c) A comprehensive cybersecurity strategy, undertaken in a coordinated effort betweenfederal and state governments and private entities,state agencies, will help prepare forcyberattacks on thesethreats to criticalinfrastructure systems,infrastructure, thereby reducing the potential consequences from those attacks. (d) The Office of Emergency Services, in its role as the lead executive entity that coordinates state resources for emergency preparedness, response, and damage mitigation, isthe propera state entity appropriate to develop, implement, and manage a comprehensive cybersecurity strategy, undertaken in a coordinated effort betweenfederal and state governments and private entities,state agencies, to protectthesecriticalinfrastructure systems from attacks to cybersecurity.infrastructure. The Office of Emergency Services is already developing the necessary expertise in cybersecurity through its current work developing methods to provide emergency services duringa cyberattack.an interference with, or the compromise or incapacitation of, critical infrastructure. (e) It is the intent of the Legislature in enacting this legislation to develop a comprehensive cybersecurity strategy, undertaken in a coordinated effort betweenfederal and state governments and private entities,state agencies, to prepare California forcyberattacks onthreats to critical infrastructuresystemsunder the unifying coordination of the Office of Emergency Services. SEC. 2. Article 6.4 (commencing with Section 8592.30) is added to Chapter 7 of Division 1 of Title 2 of the Government Code, to read: Article 6.4. Cybersecurity8592.30. (a) For purposes of this article, "critical infrastructure systems" shall mean a public or private information technology system that services any of the following sectors: (1) Communications. (2) Emergency services. (3) Energy. (4) Financial Services. (5) Food and Agriculture. (6) Healthcare and public health. (7) Transportation systems. (8) Water and wastewater systems. (b)8592.30. As used in this article, the following definitions shall apply: (a) "Critical infrastructure" means systems and assets so vital to the state that the incapacity or destruction of those systems or assets would have a debilitating impact on security, economic security, public health and safety, or any combination of those matters. (b) "Critical infrastructure information" means information not customarily in the public domain pertaining to any of the following: (1) Actual, potential, or threatened interference with, or an attack on, compromise of, or incapacitation of critical infrastructure by either physical or computer-based attack or other similar conduct, including, but not limited to, the misuse of, or unauthorized access to, all types of communications and data transmission systems, that violates federal, state, or local law, harms economic security, or threatens public health or safety. (2) The ability of critical infrastructure to resist any interference, compromise, or incapacitation, including, but not limited to, any planned or past assessment or estimate of the vulnerability of critical infrastructure, including, but not limited to, security testing, risk evaluation, risk management planning, or risk audits. (3) Any planned or past operational problem or solution regarding critical infrastructure, including, but not limited to, repair, recovery, reconstruction, insurance, or continuity, to the extent it is related to interference, compromise, or incapacitation of critical infrastructure. (c) "Secretary"shall meanmeans the secretary of each state agency as set forth in subdivision (a) of Section 12800.(c)(d) "State agency" or "state agencies"shall havemeans the samemeaningas "state agency" as set forth in Section 11000. 8592.35. (a) On or before July 1, 2017, the office shall transmit to the Legislaturea state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systemsthe Cyber Security Annex to the State Emergency Plan, also known as Emergency Function 18 or EF 18, that includes, but is not limited to, all of the following: (1) Methods for providing emergency services. (2) Command structure for state-wide coordinated emergency services. (3) Emergency service roles of appropriate state agencies. (4) Identification of resources to be mobilized. (5) Public information plans. (6) Continuity of government services. (b)Notwithstanding Section 9795, theThe office shall transmit the plan to the Legislatureby providing a printed copy to the Secretary of the Senate and the Chief Clerk of the Assembly.pursuant to Section 9795. 8592.40. (a) On or before July 1, 2018, the office shall develop a comprehensive cybersecurity strategy setting standards for state agenciesand private entitiesto prepare for cybersecurityattacks oninterference with, or the compromise or incapacitation of, critical infrastructuresystems.and the development of critical infrastructure information, and to transmit critical infrastructure information to the office. In developing the standards, the office shall consider all of the following: (1) Costs to implement the standards.(2) Regional business impacts.(3) National(2) Security of critical infrastructure information. (3) Centralized management of risk. (4) National private industry best practices. (b) The office shall post the cybersecurity strategy on the Internet Web site of the office and transmit a copy to each secretary. 8592.45. (a) Each state agency shalltransmit a cybersecurity strategy that meets the standards set forth inreport on their compliance with the standards developed pursuant to Section 8592.40 to the office in the manner and at the time directed by theoffice.office but no later than January 1, 2019. (b) The office shall provide suggestions forimprovement to the cybersecurity strategy of a state agency, if any,a state agency to improve compliance with the standards developed pursuant to Section 8592.40, if any, to the head of the state agency and the secretary responsible for the state agency. For a state agency that is not under the responsibility of a secretary, the office shall provide any suggestionsfor improvement to a cybersecurity strategy, if any,to the head of the state agency and the Governor.8592.50. (a) A private entity may transmit a cybersecurity strategy that meets the standards set forth in Section 8592.40 to the office. (b) The office shall review and provide suggestions for improvement, if any, to the cybersecurity strategy of a private entity for the purposes of protecting public health and safety, and shall not review or make suggestions to the cybersecurity strategy of a private entity solely for the private benefit of the private entity.8592.55.8592.50(a)Theplan required by Section 8592.35, a state agency cybersecurity strategyreport required by subdivision (a) of Section8592.45, or a private entity cybersecurity strategy authorized by Section 8592.50 are8592.45 and any public records relating to any communication made pursuant to, or in furtherance of the purposes of, subdivision (b) of Section 8592.45 are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).(b) The report to the Legislature required by Section 8592.35 shall not be subject to production pursuant to the Legislative Open Records Act (Article 3.5 (commencing with Section 9070) of Chapter 1.5 of Part 1 of Division 2).SEC. 3. The Legislature finds and declares that Section 2 of this act, which adds Section8592.558592.50 to the Government Code, imposes a limitation on the public's right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest: Preventing public disclosure of theOffice of Emergency Services' state-wide emergency services response plan for cybersecurity attacks on critical infrastructure systems and theindividual cybersecuritystrategiespreparations of state agenciesand private entitiespromotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructuresystemswithin the state.