AB 2320 was introduced in February by Assemblymember Edwin Chau, D-Monterey Park, and would mandate cyberinsurance coverage if a contractor received or was given access to records that contain personal information protected under the state's Information Practices Act, according to bill text.
That act, passed in 1977, regulates the means by which state agencies collect, manage and disseminate personally identifying information on citizens — including names, social security numbers, physical descriptions, home addresses, home telephone numbers, education, financial matters, and medical or employment history, a member of Chau's staff explained.
As such, the new law would apply to pretty much every state office, department, division, bureau, board, commission or other state agency, and most contractors would be similarly subject to it, the staffer explained.
Ransomware attacks on governments and companies seem to have increased over the last several years and governments are paying higher ransoms than ever. Cyberinsurance has been viewed by some as a way to mitigate the financial strain these attacks can bring to targeted organizations, but many experts have warned that payouts are the very thing fueling the attacks in the first place.
In a statement provided to Government Technology, Chau laid out his reasoning for supporting the legislation.
“Maintaining a robust cybersecurity framework is the responsibility of all those involved with the handling and management of personal information. Contractors doing business with state agencies may receive or have access to the personal information collected by state agencies and it would be prudent for these businesses to have cyber insurance in place to mitigate the risks associated with cyberattacks, especially as these attacks often come in the form of malware, ransomware or denial-of-service attacks,” the assemblymember said.
A law like this has the potential to transfer some of the cost of cyberattacks from taxpayers to the private sector, while also fostering basic risk awareness and best practices among contractors.
However, a criticism levelled at the insurance industry is that companies have so far frequently failed their customers — looking for any excuse to not pay out a claim. Meanwhile, even when ransomware hackers are paid, it is not a guarantee that agencies will regain access to their data: companies that pay frequently find that they cannot.
According to the bill text, the level of coverage per contractor would be determined by the contracting agency, and would be made to be "sufficient to cover all losses" resulting from an incident.
For a law with such a large potential impact on state government's private partners, there are a lot of details here that would need to be ironed out before it could be put into practice.
Chau's bill was most recently sent to the state's committees on Privacy and Consumer Protection and Accountability and Administrative Review, where legislators will seek some clarity on policy.
