The state Legislature passed three bills all concerned with protecting state data and computer systems.
Lawmakers this week took steps intended to safeguard California’s IT systems from hackers, providing key votes to bills that call for a statewide cybersecurity plan, clear reporting of cybersecurity spending and criminal penalties for those who install ransomware.
Tired of waiting for the Brown administration to complete a statewide cybersecurity plan, the Assembly on Tuesday voted 79-0 for legislation that would require a statewide response plan for cybersecurity threats on critical infrastructure by July 1, 2017.
“Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done,” bill author Assemblymember Jacqui Irwin, D-Thousand Oaks, said on the Assembly floor.
Such an effort has been in the works for at least five years, but the Office of Emergency Services (OES) has not said when the document would be finalized. That is a concern to lawmakers who fear a disruption in critical services could result from a major data breach or cyberattack on critical infrastructure.
AB 1841 also would require the Office of Emergency Services to craft a comprehensive cybersecurity strategy by Jan. 1, 2018.
The Assembly also approved a related measure that would require state agencies to report information security expenditures to the Department of Technology. Assemblymember Rich Gordon, D-Menlo Park, told lawmakers that such information could help the Legislature decide where to allocate state dollars.
“Lack of reporting makes it challenging to address vulnerabilities and identify departments that either might be over or perhaps underspending on cybersecurity,” Gordon said.
Lawmakers approved AB 2623 by a 77-2 vote. Both bills move to the Senate for consideration.
In the Senate, lawmakers unanimously approved legislation that would require state agencies to prepare security plans that detail how they would respond if personal information data is breached.
SB 1444 by Sen. Bob Hertzberg, D-Van Nuys, would require a state agency to inventory any personal information that is either stored or transmitted by the agency. It also calls for agencies to establish procedures to facilitate communication between an incident response team, agency officials, and individuals affected by a breach.
“Our job is to protect the public not only when there is a problem, not after there’s been a breach, but before it has happened,” Hertzberg said on the Senate floor. “We’ve got to get ahead of the game.”
Senators also unanimously approved SB 1137 by Hertzberg to update the criminal code and make it a crime to knowingly put ransomware on a computer's system, network or data. Ransomware is an extortion technique that forces a victim to pay or compensate the attacker in order to unlock his or her computer, device or data. Hertzberg's bill would make ransomware violation punishable by a two- to four-year jail term and fine of up to $10,000.
Hertzberg’s bills will now go before the Assembly.
Although several cyber-related bills continue to move through the Legislature, lawmakers last week refused to back bills that would have required state agencies establish baseline security controls or pay individuals who identify vulnerabilities in state networks.
The Assembly Appropriations Committee held back three cybersecurity bills:
This article was originally published on TechWire.