BILL NUMBER: AB 853AMENDED BILL TEXT AMENDED IN ASSEMBLY APRIL 30, 2015 AMENDED IN ASSEMBLY MARCH 24, 2015 INTRODUCED BY Assembly Member Roger Hernndez FEBRUARY 26, 2015 An act to add Section 764 to the Public Utilities Code, relating to energy. LEGISLATIVE COUNSEL'S DIGEST AB 853, as amended, Roger Hernndez. Electrical and gas corporations: security of plant and facilities. Under existing law, the Public Utilities Commission has regulatory authority over public utilities, including electrical corporations and gas corporations, as defined. If the commission finds after a hearing that the rules, practices, equipment, appliances, facilities, or service of any public utility, or of the methods of manufacture, distribution, transmission, storage, or supply employed by the public utility, are unjust, unreasonable, unsafe, improper, inadequate, or insufficient, the Public Utilities Act requires that the commission determine and, by order or rule, fix the rules, practices, equipment, appliances, facilities, service, or methods to be observed, furnished, constructed, enforced, or employed. The Public Utilities Act requires the commission to prescribe rules for the performance of any service or the furnishing of any commodity of the character furnished or supplied by any public utility and, on proper demand and tender of rates, require the public utility to furnish the commodity or render the service within the time and upon the conditions provided in the rules adopted by the commission. This bill would, to the extent feasible, require an electrical corporation or gas corporation to utilize direct employees, as defined, for any work associated with the design, engineering, and operation of its nuclear, electrical, and gas infrastructure, including all computer and information technology systems, unless the utility files a Tier 3 advice letter with the commission that demonstrates that the work can be performed safely and securely, and without jeopardizing the security of its nuclear, electrical, and gasinfrastructureinfrastructure, by persons that are not direct employees. The bill would require the commission to open a proceeding, or expand the scope of an existing proceeding, to evaluate the advice letter and to hold not less than one duly noticed public hearing for the proceeding. The bill would require the commission to issue a written decision determining whether the electrical corporation or gas corporation may utilize persons that are not direct employees for the described work. Under existing law, a violation of the Public Utilities Act or any order, decision, rule, direction, demand, or requirement of the commission is a crime. Because the provisions of this bill would be a part of the act and because a violation of an order or decision of the commission implementing its requirements would be a crime, the bill would impose a state-mandated local program by creating a new crime. The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 764 is added to the Public Utilities Code, to read: 764. (a) The Legislature finds and declares all of the following: (1) Protecting the security of nuclear, electrical, and natural gas utility systems is a paramount state interest. (2) Protecting the privacy of ratepayers' personal information, including usage information, is a paramount state interest. (3) Recent intrusions into major corporate computer systems, including Sony and Anthem Blue Cross, and the theft of information from those systems have demonstrated the vulnerability of those systems. (4) The computer systems of California's electrical corporations and gas corporations have information about the design, engineering, and operation of the nuclear, electrical, and natural gas utility infrastructure, as well as personal information about California ratepayers. This information could be used to compromise the security of California's utility infrastructure and the privacy of California' s ratepayers. (5) Widespread deployment of smart meters, smart grid equipment, and microgrids increases the importance of protecting the computer systems of electrical corporations and gas corporations. (6) The part of any computer system that is most vulnerable to being compromised is the personnel who operate that system. (7) Electrical corporations and gas corporations should make every reasonable effort to protect their computer systems from unauthorized intrusions. (8) To protect the security of electrical and natural gas utility computer systems, including nuclear infrastructure, the information technology personnel who operate those systems should be direct employees of the electrical corporation or gas corporation. (9) To protect the security of nuclear, electrical, and gas utility infrastructure, the design, engineering, and operation of that infrastructure should, to the extent feasible, be performed by direct employees of the electrical corporation or gas corporation. (b) For purposes of this section, "direct employees" for construction or maintenance work include the employees of a contractor or subcontractor licensed in California and working under the direct supervision of the electrical corporation or gas corporation. (c) To the extent feasible, an electrical corporation or gas corporation shall utilize direct employees for any work associated with the design, engineering, and operation of its nuclear, electrical, and gas infrastructure, including all computer and information technology systems, unless the utility complies with the requirements of this section and obtains the approval of the commission pursuant to this section. (d) Before utilizing persons that are not direct employees for work associated with the design, engineering, and operation of its nuclear, electrical, and gas infrastructure, including all computer and information technology systems, an electrical corporation or gas corporation shall file a Tier 3 advice letter with the commission that demonstrates that the work can be performed safely and securely, and without jeopardizing the security of its nuclear, electrical, and gas infrastructure. (e) The commission shall open a proceeding, or expand the scope of an existing proceeding, to evaluate the advice letter. The commission shall hold not less than one duly noticed public hearing for the proceeding. The commission shall issue a written decision determining whether the electrical corporation or gas corporation may utilize persons that are not direct employees for the described work. (f) A person or corporation owning or operating a qualifying facility pursuant to federal law or a facility that is an exempt wholesale generator is not an electrical corporation due to the ownership or operation of that facility. This subdivision is declaratory of existing law. SEC. 2. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.