The Assembly Privacy and Consumer Protection Committee on Tuesday approved legislation that would require state agencies to report their annual cybersecurity spending.
“Lack of oversight makes it challenging to address vulnerabilities, and it makes it difficult to identify where departments might be overspending or where additional resources might be needed and how our investment as a state compares to other large companies or other states,” bill co-author Assemblyman Rich Gordon, D-Menlo Park, told the committee.
Lawmakers first expressed concern about the lack of detailed accounting at a February hearing held to examine California’s cybersecurity efforts. During questioning, the state chief information security officer couldn’t say how much California spends to prevent potential cyberattacks and safeguard the personal data it holds on millions of Californians.
The revelation came after a blistering state auditor report released last August that found California’s cybersecurity “weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.”
The Department of Technology is among a number of agencies this year that have asked the Legislature to authorize more spending for cybersecurity in the aftermath of the auditor’s report. Other requests have come from the Department of Aging, the California Environmental Protection Agency, the California Department of Alcoholic Beverage Control, the California Student Aid Commission and others.
Co-author Jacqui Irwin, D-Thousand Oaks, said the requests for increased funding and staff show the need for standardized budget reporting.
“Without knowing how much we are currently spending, there is no way for the Legislature to consider how effective the new spending is and how the security needs of one state department compare to another,” Irwin told the panel.
“This bill would provide valuable data the state needs in order to allocate resources effectively and improve the cybersecurity posture of the state going forward,” she added.
AB 2623 would require state agencies to report a summary of their actual and projected spending on information security beginning Feb. 1, 2017. The information is intended to supplement the data agencies are currently required to provide to the Department of Technology about their information technology and telecommunications costs, according to the bill analysis.
Under the bill, the Department of Technology would be tasked with developing instructions and a format for spending reports, as well as determining the accounting methodology used to collect the data.
The bill now goes to the Assembly Appropriations Committee for consideration.
This article was originally published on TechWire.
