Lawmakers this week took steps intended to safeguard California’s IT systems from hackers, providing key votes to bills that call for a statewide cybersecurity plan, clear reporting of cybersecurity spending and criminal penalties for those who install ransomware.

Tired of waiting for the Brown administration to complete a statewide cybersecurity plan, the Assembly on Tuesday voted 79-0 for legislation that would require a statewide response plan for cybersecurity threats on critical infrastructure by July 1, 2017.

“Ensuring that these preparations are made for cybersecurity will make our state networks more resilient, improve response coordination, reduce recovery time and costs and ultimately limit the damage that is done,” bill author Assemblymember Jacqui Irwin, D-Thousand Oaks, said on the Assembly floor.

Such an effort has been in the works for at least five years, but the Office of Emergency Services (OES) has not said when the document would be finalized. That is a concern to lawmakers who fear a disruption in critical services could result from a major data breach or cyberattack on critical infrastructure.

AB 1841 also would require the Office of Emergency Services to craft a comprehensive cybersecurity strategy by Jan. 1, 2018.

The Assembly also approved a related measure that would require state agencies to report information security expenditures to the Department of Technology. Assemblymember Rich Gordon, D-Menlo Park, told lawmakers that such information could help the Legislature decide where to allocate state dollars.

“Lack of reporting makes it challenging to address vulnerabilities and identify departments that either might be over or perhaps underspending on cybersecurity,” Gordon said.

Lawmakers approved AB 2623 by a 77-2 vote. Both bills move to the Senate for consideration.

In the Senate, lawmakers unanimously approved legislation that would require state agencies to prepare security plans that detail how they would respond if personal information data is breached.

SB 1444 by Sen. Bob Hertzberg, D-Van Nuys, would require a state agency to inventory any personal information that is either stored or transmitted by the agency. It also calls for agencies to establish procedures to facilitate communication between an incident response team, agency officials, and individuals affected by a breach.

“Our job is to protect the public not only when there is a problem, not after there’s been a breach, but before it has happened,” Hertzberg said on the Senate floor. “We’ve got to get ahead of the game.”

Senators also unanimously approved SB 1137 by Hertzberg to update the criminal code and make it a crime to knowingly put ransomware on a computer's system, network or data. Ransomware is an extortion technique that forces a victim to pay or compensate the attacker in order to unlock his or her computer, device or data. Hertzberg's bill would make ransomware violation punishable by a two- to four-year jail term and fine of up to $10,000.

Hertzberg’s bills will now go before the Assembly.

Although several cyber-related bills continue to move through the Legislature, lawmakers last week refused to back bills that would have required state agencies establish baseline security controls or pay individuals who identify vulnerabilities in state networks.

The Assembly Appropriations Committee held back three cybersecurity bills:

  • AB 1881 by Assemblymember Ling Ling Chang, R-Diamond Bar, would have required the state chief information security officer to develop baseline security controls for all agencies and departments under its jurisdiction.
  • AB 2595 by Assemblymember Eric Linder, R-Corona, would have codified the California Cybersecurity Integration Center that Gov. Jerry Brown created in a 2015 executive order. The bill also would have required the Office of Emergency Services to develop a state cybersecurity strategy for California and authorize the OES to administer federal homeland security grant funding.
  • AB 2720 by Assemblymember Ed Chau, D-Arcadia, would have authorized the state to create a “bug bounty” program and offer a monetary reward to individuals who find network vulnerabilities and report them to state cybersecurity experts.