State Auditor: California Agencies Aren’t Adequately Protecting Sensitive Data

Findings could boost Assembly bill that would require biennial security audits.

by Timm Herdt, Ventura County Star, Calif. / August 27, 2015
California residents can now get an inside look at what goes on inside the state capitol with a new video search engine designed by a Cal Poly team. Pete Bobb CC by SA 3.0 via Wikimedia Commons

(TNS) -- A state auditor’s report this week that found state agencies are not meeting security standards to protect sensitive information in their computer databases could provide a boost for a bill by Assemblywoman Jacqui Irwin that would require agencies to conduct security audits every two years.

Irwin, D-Thousand Oaks, is the chair of the Assembly Select Committee on Cyber Security that has conducted two information-gathering hearings this year at which questions were raised about the state’s ability to protect sensitive information such as Californians’ Social Security numbers, tax returns and health records.

Partly based on information gleaned from those hearings, Irwin has authored AB 670 to require state agencies to systematically evaluate computer security risks every two years. The bill sailed through the Assembly on a 79-0 vote in June and now awaits action in the Senate Appropriations Committee.

Irwin said this week that she has encountered some resistance to the bill from state agencies, but believes Gov. Jerry Brown will sign the bill if it reaches his desk.

Brown spokeswoman Deborah Hoffman said Wednesday that while the administration does not generally take positions on bills, “the administration is committed to bolstering cyber security.”

Irwin said the auditor’s report underscores the need for her bill. It found 73 of 77 agencies responding to a survey had not achieved full compliance with information security standards and about a third did not expect to reach compliance until 2018 or later.

“It is the public’s responsibility to protect networks, as well as the vast stores of personal information,” Irwin said. “Cyber security is one of the most pressing threats to public safety and national security today.”

She noted that at the current pace of conducting security reviews it would take the state Technology Department about 20 years to audit all state agencies and bring them up to security standards.

The report from State Auditor Elaine Howle recommends exactly the steps Irwin’s bill proposes — that lawmakers mandate independent security assessments be conducted by each agency at least once every two years.

The bill also would establish reporting requirements that will enable the state to track the location and seriousness of network risks.

The bill has been placed on the suspense file of the Senate Appropriations Committee, which will decide Thursday which bills advance to the Senate floor for consideration before lawmakers adjourn for the year on Sept. 11.

©2015 Ventura County Star (Camarillo, Calif.) Distributed by Tribune Content Agency, LLC.

Platforms & Programs