BILL NUMBER: AB 2720AMENDED BILL TEXT AMENDED IN ASSEMBLY MARCH 17, 2016 INTRODUCED BY Assembly Member Chau FEBRUARY 19, 2016 An act to add Section 11549.41 to the Government Code, relating to state government technology. LEGISLATIVE COUNSEL'S DIGEST AB 2720, as amended, Chau. State government: Office of Information Security: cybersecurity vulnerability reporting. Existing law establishes the Office of Information Security in the Department of Technology, the purpose of which is to ensure the confidentiality, integrity, and availability of state systems and applications. This bill would authorize the office to establish a Cybersecurity Vulnerability Reporting Reward Program for the purpose of soliciting eligible individuals to identify and report previously unknown vulnerabilities in state computer networks and making a monetary award for an eligible report, subject to appropriation of sufficient funds by the Legislature. The bill would require the office to develop policies, standards, and procedures for the administration of the program, including eligibility and award criteria. The bill would specify that the minimum award shall be $100, and the maximum award shall be $5,000. The bill would prohibit an individual from receiving an award unless he or she, among other things, has not attempted to access another person's data, or otherwise has not engaged in any unlawful, disruptive, or damaging activity in the course of investigating the existence of the suspected vulnerability and is not a state employee or contractor, or the spouse or immediate family member of a state employee or contractor.Existing law establishes the Office of Information Security in the Department of Technology, the purpose of which is to ensure the confidentiality, integrity, and availability of state systems and applications.This bill would authorize the office to establish a Cybersecurity Vulnerability Reporting Reward Program for the purpose of soliciting eligible individuals to identify and report previously unknown vulnerabilities in state computer networks and making a monetary award for an eligible report, subject to appropriation of sufficient funds by the Legislature.Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 11549.41 is added to the Government Code , immediately following Section 11549.4 , to read: 11549.41. (a) The office, subject to appropriation of sufficient funds by the Legislature, may establish a Cybersecurity Vulnerability Reporting Reward Program for the purpose of soliciting eligible individuals to identify and report previously unknown vulnerabilities in state computer networks and making a monetary award for an eligible report. (b) The chief shall have sole discretion, subject to this section, to determine the eligibility of a reported vulnerability and of the individual reporting the vulnerability, and whether to make an award, and, if so, in what amount. (c) The office shall develop policies, standards, and procedures for the administration of the program, including eligibility and award criteria, subject to the following requirements: (1) The policies, standards, and procedures shall specify all of the following: (A) That the priority of the program is to identify vulnerabilities in state networks that could compromise the integrity of user data, circumvent the privacy protections in use to protect user data, or enable unauthorized access to state networks or infrastructure. (B) Which state agencies and departments are included in the program. (C) Qualifying and nonqualifying vulnerabilities. (D) That the minimum award for a qualifying vulnerability shall be one hundred dollars ($100), and the maximum award shall be five thousand dollars ($5,000). (E) That the determination of the amount of an award made within the range established by subparagraph (D) shall be solely at the discretion of the chief, based upon the sensitivity of the reported vulnerability, the specificity of the report, and any other factor that the chief may deem to be relevant. (2) A vulnerability report may be eligible for an award only if both of the following requirements are met: (A) The vulnerability was not previously known or reported to the office. (B) The report contained all necessary information and is in the required format, as specified by the office. (3) An individual may receive an award for submitting an eligible vulnerability report only if all of the following requirements are met: (A) He or she has not attempted to access another person's data, or otherwise has not engaged in any unlawful, disruptive, or damaging activity in the course of investigating the existence of the suspected vulnerability. (B) He or she is not on any federal sanctions list, or located in a country that is on any federal sanctions list. (C) He or she submits a vulnerability report that includes, but is not limited to, a description of the vulnerability, the specific risks involved, and at least one valid description of the circumstances under which the vulnerability could be exploited. (D) He or she is not a state employee or contractor, or the spouse or immediate family member of a state employee or contractor. (E) He or she does not knowingly make any false, fictitious, or fraudulent statements or representations to the office when submitting information under this section, or knowingly include any false, fictitious, or fraudulent writing, document, statement, or entry therein. (d) Nothing in this section shall be construed to authorize or immunize the violation of law or agreement in any way, or to otherwise disrupt, damage, or compromise the data or systems of another person. (e) Any reward that remains unclaimed after a period of 12 months shall be deposited into the General Fund.SECTION 1.Section 11549.41 is added to the Government Code, to read: 11549.41. The office, subject to appropriation of sufficient funds by the Legislature, is authorized to establish a Cybersecurity Vulnerability Reporting Reward Program for the purpose of soliciting eligible individuals to identify and report previously unknown vulnerabilities in state computer networks and making a monetary award for an eligible report.