| Old | New | Differences | |
|---|---|---|---|
| 1 | - | ||
| 1 | + | Amended IN Assembly April 17, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1359Introduced by Assembly Member ChauFebruary 17, 2017 An act to add Chapter 7.1 (commencing with Section 8669) to Division 1 of Title 2 of the Government Code, relating to information security. LEGISLATIVE COUNSEL'S DIGESTAB 1359, as amended, Chau. California Cybersecurity Integration Center. Cybersecurity: critical infrastructure business: breach notification.(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the Chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person where the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.This bill would require, on or after January 1, 2019, a critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to also disclose that breach to the Office of Emergency Services. The bill would deem a critical infrastructure business to be in compliance with this requirement with respect to a breach if it complies with specified requirements related to disclosing that breach to the multistate information sharing and analysis center. The bill would require a critical infrastructure business to disclose breaches in a form and manner provided by the office, and without unreasonable delay, except as provided. The bill would otherwise prohibit public disclosure of the information and reports required by its provisions.(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. By executive order in 2015, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center (CalSIC) with the primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in the state.This bill would state the intent of the Legislature to enact subsequent legislation that would require certain companies to confidentially report cyberattacks to CalSIC, and would impose certain duties on CalSIC with respect to the information submitted.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read: CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, shall be deemed to be in compliance with the notification requirements of this section.(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).8669.2. This chapter shall become operative on January 1, 2019.SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 8669 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the cybersecurity preparations and critical infrastructure information promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.SECTION 1.It is the intent of the Legislature to enact legislation that would require companies with critical infrastructure assets that are located in California to confidentially report cyberattacks against those assets to the California Cybersecurity Integration Center (CalSIC) under the Office of Emergency Services, and would further require CalSIC to ensure the information so submitted is stored anonymously so that the intelligence value of the threat information can be made available to other companies within the same sector in a manner that does not identify the company that reported the information. | |
| 2 | 2 | ||
| 3 | - | ||
| 3 | + | Amended IN Assembly April 17, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 1359Introduced by Assembly Member ChauFebruary 17, 2017 An act to add Chapter 7.1 (commencing with Section 8669) to Division 1 of Title 2 of the Government Code, relating to information security. LEGISLATIVE COUNSEL'S DIGESTAB 1359, as amended, Chau. California Cybersecurity Integration Center. Cybersecurity: critical infrastructure business: breach notification.(1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the Chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person where the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.This bill would require, on or after January 1, 2019, a critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to also disclose that breach to the Office of Emergency Services. The bill would deem a critical infrastructure business to be in compliance with this requirement with respect to a breach if it complies with specified requirements related to disclosing that breach to the multistate information sharing and analysis center. The bill would require a critical infrastructure business to disclose breaches in a form and manner provided by the office, and without unreasonable delay, except as provided. The bill would otherwise prohibit public disclosure of the information and reports required by its provisions.(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. By executive order in 2015, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center (CalSIC) with the primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in the state.This bill would state the intent of the Legislature to enact subsequent legislation that would require certain companies to confidentially report cyberattacks to CalSIC, and would impose certain duties on CalSIC with respect to the information submitted.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO | |
| 4 | 4 | ||
| 5 | - | ||
| 5 | + | Amended IN Assembly April 17, 2017 | |
| 6 | 6 | ||
| 7 | - | Amended IN Assembly April 27, 2017 | |
| 8 | 7 | Amended IN Assembly April 17, 2017 | |
| 9 | 8 | ||
| 10 | 9 | CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION | |
| 11 | 10 | ||
| 12 | 11 | Assembly Bill No. 1359 | |
| 13 | 12 | ||
| 14 | 13 | Introduced by Assembly Member ChauFebruary 17, 2017 | |
| 15 | 14 | ||
| 16 | 15 | Introduced by Assembly Member Chau | |
| 17 | 16 | February 17, 2017 | |
| 18 | 17 | ||
| 19 | 18 | An act to add Chapter 7.1 (commencing with Section 8669) to Division 1 of Title 2 of the Government Code, relating to information security. | |
| 20 | 19 | ||
| 21 | 20 | LEGISLATIVE COUNSEL'S DIGEST | |
| 22 | 21 | ||
| 23 | 22 | ## LEGISLATIVE COUNSEL'S DIGEST | |
| 24 | 23 | ||
| 25 | - | AB 1359, as amended, Chau. Cybersecurity: critical infrastructure business: breach notification. | |
| 24 | + | AB 1359, as amended, Chau. California Cybersecurity Integration Center. Cybersecurity: critical infrastructure business: breach notification. | |
| 26 | 25 | ||
| 27 | - | (1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the Chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person where | |
| 26 | + | (1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the Chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information.Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person where the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.This bill would require, on or after January 1, 2019, a critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to also disclose that breach to the Office of Emergency Services. The bill would deem a critical infrastructure business to be in compliance with this requirement with respect to a breach if it complies with specified requirements related to disclosing that breach to the multistate information sharing and analysis center. The bill would require a critical infrastructure business to disclose breaches in a form and manner provided by the office, and without unreasonable delay, except as provided. The bill would otherwise prohibit public disclosure of the information and reports required by its provisions.(2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.This bill would make legislative findings to that effect.The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. By executive order in 2015, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center (CalSIC) with the primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in the state.This bill would state the intent of the Legislature to enact subsequent legislation that would require certain companies to confidentially report cyberattacks to CalSIC, and would impose certain duties on CalSIC with respect to the information submitted. | |
| 28 | 27 | ||
| 29 | 28 | (1) The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. Existing law requires the Department of Technology, in consultation with the Office of Emergency Services and in compliance with the information security program required to be established by the Chief of the Office of Information Security, to update the Technology Recovery Plan element of the State Administrative Manual to ensure the inclusion of cybersecurity strategy incident response standards for each state agency to secure its critical infrastructure controls and critical infrastructure information. | |
| 30 | 29 | ||
| 31 | - | Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person where | |
| 30 | + | Existing law requires a person or business conducting business in California that owns or licenses computerized data that includes personal information to disclose expeditiously and without unreasonable delay a breach in the security of the data to a resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person where the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person, and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. | |
| 32 | 31 | ||
| 33 | - | This bill would require, on or after January 1, 2019, a critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to also disclose that breach to the Office of Emergency Services | |
| 32 | + | This bill would require, on or after January 1, 2019, a critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to also disclose that breach to the Office of Emergency Services. The bill would deem a critical infrastructure business to be in compliance with this requirement with respect to a breach if it complies with specified requirements related to disclosing that breach to the multistate information sharing and analysis center. The bill would require a critical infrastructure business to disclose breaches in a form and manner provided by the office, and without unreasonable delay, except as provided. The bill would otherwise prohibit public disclosure of the information and reports required by its provisions. | |
| 34 | 33 | ||
| 35 | 34 | (2) Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest. | |
| 36 | 35 | ||
| 37 | 36 | This bill would make legislative findings to that effect. | |
| 38 | 37 | ||
| 38 | + | The California Emergency Services Act sets forth the duties of the Office of Emergency Services with respect to specified emergency preparedness, mitigation, and response activities within the state. By executive order in 2015, the Governor directed the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center (CalSIC) with the primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in the state. | |
| 39 | + | ||
| 40 | + | ||
| 41 | + | ||
| 42 | + | This bill would state the intent of the Legislature to enact subsequent legislation that would require certain companies to confidentially report cyberattacks to CalSIC, and would impose certain duties on CalSIC with respect to the information submitted. | |
| 43 | + | ||
| 44 | + | ||
| 45 | + | ||
| 39 | 46 | ## Digest Key | |
| 40 | 47 | ||
| 41 | 48 | ## Bill Text | |
| 42 | 49 | ||
| 43 | - | The people of the State of California do enact as follows:SECTION 1. Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read: CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, | |
| 50 | + | The people of the State of California do enact as follows:SECTION 1. Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read: CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, shall be deemed to be in compliance with the notification requirements of this section.(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).8669.2. This chapter shall become operative on January 1, 2019.SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 8669 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the cybersecurity preparations and critical infrastructure information promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state.SECTION 1.It is the intent of the Legislature to enact legislation that would require companies with critical infrastructure assets that are located in California to confidentially report cyberattacks against those assets to the California Cybersecurity Integration Center (CalSIC) under the Office of Emergency Services, and would further require CalSIC to ensure the information so submitted is stored anonymously so that the intelligence value of the threat information can be made available to other companies within the same sector in a manner that does not identify the company that reported the information. | |
| 44 | 51 | ||
| 45 | 52 | The people of the State of California do enact as follows: | |
| 46 | 53 | ||
| 47 | 54 | ## The people of the State of California do enact as follows: | |
| 48 | 55 | ||
| 49 | - | SECTION 1. Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read: CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, | |
| 56 | + | SECTION 1. Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read: CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, shall be deemed to be in compliance with the notification requirements of this section.(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).8669.2. This chapter shall become operative on January 1, 2019. | |
| 50 | 57 | ||
| 51 | 58 | SECTION 1. Chapter 7.1 (commencing with Section 8669) is added to Division 1 of Title 2 of the Government Code, to read: | |
| 52 | 59 | ||
| 53 | 60 | ### SECTION 1. | |
| 54 | 61 | ||
| 55 | - | CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, | |
| 62 | + | CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, shall be deemed to be in compliance with the notification requirements of this section.(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).8669.2. This chapter shall become operative on January 1, 2019. | |
| 56 | 63 | ||
| 57 | - | CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, | |
| 64 | + | CHAPTER 7.1. Cybersecurity8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services.8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, shall be deemed to be in compliance with the notification requirements of this section.(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).8669.2. This chapter shall become operative on January 1, 2019. | |
| 58 | 65 | ||
| 59 | 66 | CHAPTER 7.1. Cybersecurity | |
| 60 | 67 | ||
| 61 | 68 | CHAPTER 7.1. Cybersecurity | |
| 62 | 69 | ||
| 63 | 70 | 8669. For purposes of this chapter, the following terms have the following meanings:(a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure.(b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.(c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California.(d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30.(e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30.(f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure.(g) Office means the Office of Emergency Services. | |
| 64 | 71 | ||
| 65 | 72 | ||
| 66 | 73 | ||
| 67 | 74 | 8669. For purposes of this chapter, the following terms have the following meanings: | |
| 68 | 75 | ||
| 69 | 76 | (a) Breach of security means unauthorized electronic access of critical infrastructure controls or unauthorized acquisition of critical infrastructure information that compromises the security, confidentiality, or integrity of critical infrastructure. Good faith access to critical infrastructure controls or acquisition of critical infrastructure information by an employee or agent of the person or business for the purposes of the person or business is not a breach of security, provided that the information is not used or subject to further unauthorized disclosure. | |
| 70 | 77 | ||
| 71 | 78 | (b) Critical infrastructure means those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of those systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. | |
| 72 | 79 | ||
| 73 | 80 | (c) Critical infrastructure business means a person or entity that conducts business in a critical infrastructure sector in California. | |
| 74 | 81 | ||
| 75 | 82 | (d) Critical infrastructure controls has the same meaning as defined in subdivision (a) of Section 8592.30. | |
| 76 | 83 | ||
| 77 | 84 | (e) Critical infrastructure information has the same meaning as defined in subdivision (b) of Section 8592.30. | |
| 78 | 85 | ||
| 79 | 86 | (f) Critical infrastructure sector means those sectors of the economy and their constituent entities identified in Presidential Policy Directive 21 (2013), the federal National Infrastructure Protection Plan (NIPP), and any sector-specific plans under the NIPP, as owning or controlling critical infrastructure. | |
| 80 | 87 | ||
| 81 | 88 | (g) Office means the Office of Emergency Services. | |
| 82 | 89 | ||
| 83 | - | 8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, | |
| 90 | + | 8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office.(b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, shall be deemed to be in compliance with the notification requirements of this section.(c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons:(1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation.(2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.(d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section.(e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). | |
| 84 | 91 | ||
| 85 | 92 | ||
| 86 | 93 | ||
| 87 | 94 | 8669.1 (a) A critical infrastructure business that experiences a breach of security of critical infrastructure information or critical infrastructure controls and is required by federal law to disclose that breach to federal authorities shall, within a reasonable amount of time after discovering that breach, disclose that breach to the office, unless that disclosure would otherwise be prohibited by law. If that critical infrastructure business is not required to disclose that breach by federal law, then that business may, and is strongly encouraged to, disclose that breach to the office. | |
| 88 | 95 | ||
| 89 | - | (b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, | |
| 96 | + | (b) Notwithstanding subdivision (a), a person or business that discloses a breach of security of critical infrastructure information or critical infrastructure controls to the multistate information sharing and analysis center and does so in a manner otherwise consistent with this section, shall be deemed to be in compliance with the notification requirements of this section. | |
| 90 | 97 | ||
| 91 | 98 | (c) A critical infrastructure business shall disclose a breach pursuant to this section to the office, in a form and manner required by the office, in the most expedient way possible, except that disclosure may be delayed for either of the following reasons: | |
| 92 | 99 | ||
| 93 | 100 | (1) A law enforcement agency determines that the notification will impede a criminal investigation. However, the notification required by this section shall be made promptly after the law enforcement agency determines that it will not impede the investigation. | |
| 94 | 101 | ||
| 95 | 102 | (2) The delay is necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. | |
| 96 | 103 | ||
| 97 | 104 | (d) The office may promulgate regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3) to further define the terms used in this section and provide guidance as to the types of companies and attacks considered reportable under this section. | |
| 98 | 105 | ||
| 99 | 106 | (e) The information and reports required by this section are confidential and shall not be disclosed pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). | |
| 100 | - | ||
| 101 | - | (f) Notwithstanding subdivision (a), a person or business that experiences a breach of security that only results in the loss of personal information, and that reports the breach to the Attorney General in compliance with subdivision (f) Section 1798.82 of the Civil Code, shall be deemed to be in compliance with the notification requirements of this section. | |
| 102 | 107 | ||
| 103 | 108 | 8669.2. This chapter shall become operative on January 1, 2019. | |
| 104 | 109 | ||
| 105 | 110 | ||
| 106 | 111 | ||
| 107 | 112 | 8669.2. This chapter shall become operative on January 1, 2019. | |
| 108 | 113 | ||
| 109 | 114 | SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 8669 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the cybersecurity preparations and critical infrastructure information promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state. | |
| 110 | 115 | ||
| 111 | 116 | SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 8669 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:Preventing public disclosure of the cybersecurity preparations and critical infrastructure information promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state. | |
| 112 | 117 | ||
| 113 | 118 | SEC. 2. The Legislature finds and declares that Section 1 of this act, which adds Section 8669 to the Government Code, imposes a limitation on the publics right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest: | |
| 114 | 119 | ||
| 115 | 120 | ### SEC. 2. | |
| 116 | 121 | ||
| 117 | 122 | Preventing public disclosure of the cybersecurity preparations and critical infrastructure information promotes public safety by prohibiting access to those who would use that information to thwart the cybersecurity of critical infrastructure controls within the state. | |
| 123 | + | ||
| 124 | + | ||
| 125 | + | ||
| 126 | + | It is the intent of the Legislature to enact legislation that would require companies with critical infrastructure assets that are located in California to confidentially report cyberattacks against those assets to the California Cybersecurity Integration Center (CalSIC) under the Office of Emergency Services, and would further require CalSIC to ensure the information so submitted is stored anonymously so that the intelligence value of the threat information can be made available to other companies within the same sector in a manner that does not identify the company that reported the information. |