Assembly Bill No. 2355 CHAPTER 498 An act to add and repeal Article 8.5 (commencing with Section 35265) of Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, relating to school security. [ Approved by Governor September 23, 2022. Filed with Secretary of State September 23, 2022. ] LEGISLATIVE COUNSEL'S DIGESTAB 2355, Salas. School cybersecurity.Existing law prohibits a school district from permitting access to pupil records to a person without written parental consent or under judicial order except as authorized by specified state and federal law.Existing law requires the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center with a primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in our state.This bill would require a school district, county office of education, or charter school to report any cyberattack, as defined, impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center. By imposing new duties on local educational agencies, the bill would constitute a state-mandated local program. The bill would require the California Cybersecurity Integration Center to establish a database that tracks reports of cyberattacks submitted by local educational agencies and to annually, by January 1, submit a report to the Governor and the relevant policy committees of the Legislature with specified information related to cyberattacks or data breaches of local educational agencies.This bill would repeal those provisions as of January 1, 2027.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES Bill TextThe people of the State of California do enact as follows:SECTION 1. Article 8.5 (commencing with Section 35265) is added to Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, to read: Article 8.5. Cybersecurity35265. For purposes of this article, the following definitions apply:(a) California Cybersecurity Integration Center or Center means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.(b) Cyberattack means either of the following:(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.(c) Local educational agency means a school district, county office of education, or charter school.35266. (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.35267. This article shall remain in effect only until January 1, 2027, and as of that date is repealed.SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
Assembly Bill No. 2355 CHAPTER 498 An act to add and repeal Article 8.5 (commencing with Section 35265) of Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, relating to school security. [ Approved by Governor September 23, 2022. Filed with Secretary of State September 23, 2022. ] LEGISLATIVE COUNSEL'S DIGESTAB 2355, Salas. School cybersecurity.Existing law prohibits a school district from permitting access to pupil records to a person without written parental consent or under judicial order except as authorized by specified state and federal law.Existing law requires the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center with a primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in our state.This bill would require a school district, county office of education, or charter school to report any cyberattack, as defined, impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center. By imposing new duties on local educational agencies, the bill would constitute a state-mandated local program. The bill would require the California Cybersecurity Integration Center to establish a database that tracks reports of cyberattacks submitted by local educational agencies and to annually, by January 1, submit a report to the Governor and the relevant policy committees of the Legislature with specified information related to cyberattacks or data breaches of local educational agencies.This bill would repeal those provisions as of January 1, 2027.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES
Assembly Bill No. 2355 CHAPTER 498
Assembly Bill No. 2355
CHAPTER 498
An act to add and repeal Article 8.5 (commencing with Section 35265) of Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, relating to school security.
[ Approved by Governor September 23, 2022. Filed with Secretary of State September 23, 2022. ]
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 2355, Salas. School cybersecurity.
Existing law prohibits a school district from permitting access to pupil records to a person without written parental consent or under judicial order except as authorized by specified state and federal law.Existing law requires the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center with a primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in our state.This bill would require a school district, county office of education, or charter school to report any cyberattack, as defined, impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center. By imposing new duties on local educational agencies, the bill would constitute a state-mandated local program. The bill would require the California Cybersecurity Integration Center to establish a database that tracks reports of cyberattacks submitted by local educational agencies and to annually, by January 1, submit a report to the Governor and the relevant policy committees of the Legislature with specified information related to cyberattacks or data breaches of local educational agencies.This bill would repeal those provisions as of January 1, 2027.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
Existing law prohibits a school district from permitting access to pupil records to a person without written parental consent or under judicial order except as authorized by specified state and federal law.
Existing law requires the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center with a primary mission to reduce the likelihood and severity of cyber incidents that could damage Californias economy, its critical infrastructure, or public and private sector computer networks in our state.
This bill would require a school district, county office of education, or charter school to report any cyberattack, as defined, impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center. By imposing new duties on local educational agencies, the bill would constitute a state-mandated local program. The bill would require the California Cybersecurity Integration Center to establish a database that tracks reports of cyberattacks submitted by local educational agencies and to annually, by January 1, submit a report to the Governor and the relevant policy committees of the Legislature with specified information related to cyberattacks or data breaches of local educational agencies.
This bill would repeal those provisions as of January 1, 2027.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Article 8.5 (commencing with Section 35265) is added to Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, to read: Article 8.5. Cybersecurity35265. For purposes of this article, the following definitions apply:(a) California Cybersecurity Integration Center or Center means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.(b) Cyberattack means either of the following:(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.(c) Local educational agency means a school district, county office of education, or charter school.35266. (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.35267. This article shall remain in effect only until January 1, 2027, and as of that date is repealed.SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Article 8.5 (commencing with Section 35265) is added to Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, to read: Article 8.5. Cybersecurity35265. For purposes of this article, the following definitions apply:(a) California Cybersecurity Integration Center or Center means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.(b) Cyberattack means either of the following:(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.(c) Local educational agency means a school district, county office of education, or charter school.35266. (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.35267. This article shall remain in effect only until January 1, 2027, and as of that date is repealed.
SECTION 1. Article 8.5 (commencing with Section 35265) is added to Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, to read:
### SECTION 1.
Article 8.5. Cybersecurity35265. For purposes of this article, the following definitions apply:(a) California Cybersecurity Integration Center or Center means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.(b) Cyberattack means either of the following:(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.(c) Local educational agency means a school district, county office of education, or charter school.35266. (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.35267. This article shall remain in effect only until January 1, 2027, and as of that date is repealed.
Article 8.5. Cybersecurity35265. For purposes of this article, the following definitions apply:(a) California Cybersecurity Integration Center or Center means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.(b) Cyberattack means either of the following:(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.(c) Local educational agency means a school district, county office of education, or charter school.35266. (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.35267. This article shall remain in effect only until January 1, 2027, and as of that date is repealed.
Article 8.5. Cybersecurity
Article 8.5. Cybersecurity
35265. For purposes of this article, the following definitions apply:(a) California Cybersecurity Integration Center or Center means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.(b) Cyberattack means either of the following:(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.(c) Local educational agency means a school district, county office of education, or charter school.
35265. For purposes of this article, the following definitions apply:
(a) California Cybersecurity Integration Center or Center means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.
(b) Cyberattack means either of the following:
(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.
(2) The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.
(c) Local educational agency means a school district, county office of education, or charter school.
35266. (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.
35266. (a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.
(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code, any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.
(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.
(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.
35267. This article shall remain in effect only until January 1, 2027, and as of that date is repealed.
35267. This article shall remain in effect only until January 1, 2027, and as of that date is repealed.
SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.
### SEC. 2.