All state agencies will begin reporting their annual spending on cybersecurity, a move intended to beef up California’s IT systems, under legislation signed Friday by Gov. Jerry Brown.
Lawmakers sent the measure to Brown after it became apparent this year that the California Department of Technology couldn’t provide a figure detailing how much the state spends to secure the state’s computers, networks and systems. That was a concern for lawmakers troubled by the rise in cyberattacks across the country in both the public and private sectors.
The bill by Assemblymember Rich Gordon, D-Menlo Park, is expected to help the state identify its vulnerabilities and invest to protect state data from potential hackers.
AB 2623 was among several bills addressing cybersecurity that lawmakers sent the governor in response to a scathing state audit that found cybersecurity “weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.”
Although California has not suffered a major breach, lawmakers said the nation’s most populous state remains a top target. They pointed to security breaches at the Pentagon, the White House, U.S. health-care companies, universities and retailers to illustrate the sophistication of hackers.
Under the new law, state agencies will be required to report a summary of their actual and projected spending on information security to the California Department of Technology, the agency responsible for guiding state entities on IT security.
The Department of Technology will also be tasked with developing instructions and a format for spending reports, as well as determining the accounting methodology used to collect the data.
Brown has not yet acted on other cyber-related bills that seek to crack down on ransomware attacks, require government entities to inventory data that contain personal information or mandate statewide incident response standards.
