IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

California Tech Industry Weighs In on Critical Infrastructure Breach Reporting

Tech companies are concerned about proposed legislation that would require businesses that maintain critical infrastructure to report cyberincidents to the California Office of Emergency Services.

Should businesses that maintain critical infrastructure inside California — or potentially, outside the state — be forced to report a cyberbreach of those systems to the California Office of Emergency Services?

That's the question the tech industry is weighing as it provides input on legislation that would potentially add the state-level reporting requirement for cyberincidents that already must be reported to the feds under existing law.

AB 1359 from Assemblymember Ed Chau, D-Monterey Park, explained this week in front of a legislative panel that currently "there's no state requirement that a cyberattack that does not cause the loss of personally identifiable information be reported to a state agency," and that his bill is aimed at increasing awareness at the state level of electronic security breaches.

Under AB 1359, businesses that keep critical infrastructure would report incidents to the California Office of Emergency Services and the California Cybersecurity Integration Center.

Chau said his bill includes a one-year delay (to 2019) in implementing the proposed new law to give businesses time to refine their reporting procedures.

The technology industry has concerns about the bill as it's currently written. Representatives of the California Chamber of Commerce, TechNet and others told the Assembly Committee on Privacy and Consumer Protection earlier this week that they're working with Chau to tighten the bill's language and are currently opposed to AB 1359.

Margaret Gladstein, on behalf of CalChamber, said that incident reporting for critical infrastructure already occurs appropriately at the federal level and that state entities such as CalOES should have access now to that data.

A California Bankers Association representative said AB 1359 would give CalOES more powers to define what is critical infrastructure and what is a critical infrastructure business, and could lead to conflicting reporting requirements.

Laura Bennett, executive director for California and the Southwest, said it's "troubling" that AB 1359 could expand the reporting requirements onto her organization's members companies, which aren't required at this time.

Chau said the bill's intent is not to give CalOES more authority, and that he will continue to work with the opposition to tighten the scope of the bill and narrow it to a few key sectors. But he added that it "makes sense" the bill would require reporting of breach incidents that occur at facilities outside of California.    

Assemblymember Jacqui Irwin thanked Chau for bringing the bill forward, and said she also understood the concerns of the technology industry. "I think we're sort of struggling on what the role of government should be — California government should be — with critical infrastructure, and especially the cybersecurity of critical infrastructure," Irwin said.

Irwin voted yes on the bill in a 7-to-3 vote of the Assembly Privacy and Consumer Protection Committee on Tuesday. The bill was referred to the Appropriations Committee.




Matt Williams was Managing Editor of Techwire from June 2014 through May 2017.