From the chair of the Assembly Privacy and Consumer Protection Committee, Ed Chau provides the lens of a legal mind with some technology know-how. A general law practitioner who opened his own practice after law school, Chau draws upon his 20 years as an attorney, as well as stints as an engineer for IBM and as a programmer in cutting-edge technology for Unisys Corp.
Chau, who also chairs the Select Committee on Emerging Technologies and Innovation, predicts a busy legislative year on cybersecurity, privacy and technology issues for 2018, as well as a continued role in oversight of the California Department of Technology (CDT). In an interview with Techwire, Chau said he intends to continue his push to improve consumer privacy, especially Internet user privacy and AB 375, a measure that stalled last year but which Chau describes as the centerpiece of his legislative agenda.
The data breaches revealed earlier this year at Equifax and Uber have also put data security and breach notification on the agenda. And if backers of a circulating initiative known as the California Consumer Privacy Act of 2018 qualify the measure for the 2018 ballot, Chau said he will hold hearings to examine provisions that could have an impactful effect on Californians’ privacy rights.
Chau took part in this exclusive Q-and-A with Techwire:
Why are AB 375 and Internet privacy such a priority for you?
I think the bill signifies a very important aspect of protecting our private information, and it is so fundamental to allow the consumer a say in how their data is being treated and used. In this day and age, information is everything. Our personal information, our browser history, our whereabouts, our financial information, our hobbies — basically, using that information, people can build profiles about people. It’s our information. It only makes sense for us to decide for ourselves how that information is used.
The opposition fought that bill pretty vehemently, so the game plan is to continue moving that bill and hopefully stakeholders will come to the negotiation table and we can move forward together. For the ISPs (Internet service providers), they’ve been making money off using the information. It’s not too much to ask for them to give us that privacy option. It’s important not only for consumers but the state of California.
When you hear about the recent data breaches in the private sector, is there a specific area you would like to see addressed by the Legislature?
I think the notification component needs to be looked at a little more closely. Now, there’s no time frame in which the breach has to be notified. Some states do have a time frame. I think we as a state ought to look at that more closely to see what would work for us, what’s reasonable.
I’ve been looking at the patching of vulnerability issue. There is also the issue about liability and enforcement — whether or not current law is sufficient to basically determine liability on the breaching party. Those are some of the areas that would warrant a closer look.
You have said the California Consumer Privacy Act would have an impactful effect on privacy if it makes the 2018 ballot and voters approve it. What do you mean by that?
I took a very quick look at the language. I have not taken a position yet, but that initiative is quite encompassing, and if it passes will probably have a very impactful effect on privacy in general and consumer protection. I think the initiative will affect businesses in general that collect and use data, as opposed to the bill I carried, which limited it to ISPs. The initiative is much more encompassing. It will impact a lot more businesses, data brokers, entities that deal with data. I think anything that I can do to help protect consumer privacy, I think I’m on board.
One of your bills that stalled, AB 364, called for an economic study on the cybersecurity workforce. Do you plan to continue to push that?
The reason it didn’t move was because of the cost component. We are going to look into how we can ease the cost because I think that is going to be very helpful to gauge where industry is at in terms of their need for more cyberprofessionals. I think from an economic standpoint and academic standpoint, the bill is important.
Do you have any ideas of how the Legislature might be able to offer solutions to the cybersecurity job shortfall?
That is one of the things our team has been discussing. I did attempt to attack it from the education standpoint to address computer science, which is the cornerstone for cybersecurity professionals, but the bill didn’t go too far. If we want to fulfill the job opportunities, of which I believe there are plenty, we need to understand the number. That’s the impetus for AB 364. We want to find out what the jobs are so we can fill those jobs. Cyber is where the action is going to be for a while. Anything we as a state can do, I’m happy to discuss.
The privacy committee has held oversight hearings on what the state is doing on cybersecurity. Do you think the state has more to do?
I think we have begun a very thorough step towards providing a very sound cybersecurity system for the state. We don’t have a perfect system yet, but I think we’re working towards that. AB 670 was a good start to find where the holes are so we can plug those holes. That’s an ongoing process. Assessment will be important. We need to make sure every state agency is in compliance with safe cyber measures and standards.
There’s a lot we can do still. I look forward to working with CDT because we need to be working in conjunction with them to provide the, hopefully, airtight system for the state. We need to be vigilant, do our assessments diligently; we need to provide training to our staff, and we can also learn from other states.
Do you think the California Cybersecurity Integration Center should be codified into state statute?
I do support that idea. I think it’s better to put into statute rather than just an executive order because executive orders can change. We just need to convince the governor that it needs to be in statute.
When you talk to the private sector about cybersecurity, what advice do you give?
Based on the recent database breaches and ransomware attacks, we understand cybersecurity is a very important subject. It’s not going to go away. It’s going to get worse before it gets better. That underscores the importance of investment in cyber. I think there’s not enough investment for business in general, large or small. These data breaches are a wake-up call to businesses to pay more attention to cybersecurity. I advise small businesses to pay attention, and they have to look at the cost. Long term, it’s going to cost them more than the initial investment. But a lot of the problems can be avoided with very mundane or fundamental best practices — better password protection, better training. Many of these cyberissues could be avoided. Basic cyberhygiene would help eliminate some of these problems.
Should state budgets be posted online in a more accessible, searchable way?
I am a believer in transparency. I think the more informed the citizen is, the better government is going to be. Putting a state budget online could be helpful, and I think at least certain aspects of the state budget ought to be. Conceptually, I’m in support of providing information, including the state budget to the public. As to what and how, I think we should talk about it.
Do you think your tech background helps you in your role as chair of the privacy committee?
I have the interest in technology and how technology can be applied to government and business in general. Technology continues to change. What’s considered new technology today could be deemed obsolete in a year or less. Technology continues to change but the law lags behind. We’re always playing catch-up. The challenge is: How do we keep up with technology, given so much is going on?
