IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Bill Would Boost CDT's Security Role; Critics Say It's Unnecessary

Striving to bolster government cybersecurity statewide, lawmakers on Tuesday backed legislation that would require all state agencies to comply with security policies issued by the California Department of Technology. The proposed directive would be a change in state law, and it’s one that California’s constitutional officers oppose.

jan-ross-12-15.jpg
Striving to bolster government cybersecurity statewide, lawmakers on Tuesday backed legislation that would require all state agencies to comply with security policies issued by the California Department of Technology (CDT).

The proposed directive would be a change in state law, and it’s one that California’s constitutional officers oppose.

“It will expand the scope of the governor’s authority to give mandating power to the California Department of Technology over constitutional offices regarding their information security operations,” said Jan Ross, deputy treasurer for technology and innovation in the Treasurer’s Office.

“The independence of California’s constitutional offices is part of the state’s system of checks and balances,” she added.

Currrently, IT policies and procedures crafted by the CDT's Office of Information Security must be followed by any state entity that falls under the governor’s authority — a wide swath of government that includes departments, boards, bureaus, commissions and councils. But it does not include the elected constitutional offices — controller, treasurer, insurance commissioner, attorney general and school superintendent.

AB 3193 by Assemblyman Ed Chau, D-Monterey Park, would close the gap and bring uniformity to state government.

“Ultimately we want to make cybersecurity as strong as possible,” Chau said.

Representatives for several of the constitutional offices described the bill as unnecessary, in large part because they already comply with the protocols and recommendations issued by CDT.

The Assembly Privacy and Consumer Protection Committee, which is chaired by Chau, approved the bill on a 9-0 vote.

Other bills endorsed by the committee:

AB 2748 would create a voluntary pilot program for county election officials to get an independent cybersecurity assessment of their election infrastructure. Such a program, bill author Chau said, would allow counties to tap into the state’s expertise about cybersecurity, and all assessments would be confidential.

AB 2812 would create the Office of Local Cloud Migration and Digital Innovation within the CDT, tasked with promoting cloud-based computing, data storage and other technologies to local agencies. The bill by Assemblywoman Monique Limón, D-Santa Barbara, would also create an account — funded by donations from private industry and the nonprofit sector — to finance the new entity.

AB 2375 would authorize the secretary of state to join California to the Electronic Registration Information Center, a multistate voter registration system. Bill author Assemblyman Jay Obernolte, R-Hesperia, told lawmakers that joining the system was about civic engagement and would enable election officials to reach out to people who have moved into California. Twenty-three states have joined the system so far. However, privacy advocates, including the ACLU, fear that sharing Californians’ voter registration data might expose sensitive information.

AB 1859 would require any consumer credit reporting agency that conducts business in California to begin implementing software updates within three days of becoming aware of a vulnerability. If they don’t patch a vulnerability and consumer information is breached, the agency would be subject to civil penalties. Chau introduced the legislation in response to the 2017 Equifax breach that exposed the personal information of some 147.9 million consumers.