IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Bills Would Address Automation, Cybersecurity — If They Advance

The state Legislature's return from recess remains "fluid," Gov. Gavin Newsom said Tuesday, but two bills from Assemblymember Ed Chau, D-Monterey Park, would scrutinize automated decision systems and cybersecurity for IT systems and connected devices.

This story is limited to Techwire Insider members.
This story is limited to Techwire Insider members. Login below to read this story or learn about membership.
The California Legislature recessed March 20 as leaders confronted the novel coronavirus (COVID-19) pandemic in earnest, but two pieces of technology and cybersecurity legislation are worth keeping an eye on when officials return.

The proposed bills, from Assemblymember Ed Chau, D-Monterey Park, a member of the California Legislative Technology and Innovation Caucus, had only received their first reading before Legislators adjourned — but if passed they could offer substantive direction on automation and IT security. Their path through the Legislature isn’t yet clear; lawmakers aren’t expected to return to the statehouse before April 13 at the earliest — and if they do return then, they will be confronted by the proposed Fiscal Year 2020-2021 budget which they must pass by June 15, as required by the state Constitution. Gov. Gavin Newsom declared the Legislature’s return “fluid” during a news conference Tuesday, adding: “There is no time certain to come back in session.” It’s also uncertain whether the Legislature might work remote. Among the takeaways:

Assembly Bill 2269 would enact the Automated Decision Systems Accountability Act of 2020 — taking aim at any “computational process” including those originating from machine learning, data processing or artificial intelligence, that make decisions or facilitate “human decision making, that impacts persons.” The bill would require businesses that use automated decision systems (ADSs) to ensure they have processes in place to test for biases during their development or use; that they do impact assessments to learn whether their ADSs adversely impact a protected class; and whether they serve reasonable objectives and further legitimate interests.

If it becomes law, the bill would have the Legislature declare: “The rise of big data has raised concerns about the use of algorithmic or automated decision systems to make hiring and other workplace decisions, eligibility decisions, insurance eligibility, lending decisions, and marketing decisions quickly, automatically, and fairly,” and highlight the potential for “massive inequality” in such decisions.

“The vast amount of data collected and amassed nowadays, has resulted in the increased use of automated decision-making processes that assist with credit decisions, employment screening, insurance eligibility, and marketing, to name a few,” Chau told Techwire via email. The bill is necessary, he added, “because it establishes a process to review these systems in order to account for impacts on accuracy, fairness, bias, discrimination, privacy, and security.”

• The bill would also require businesses that use ADS to report the results of their impact assessments for programs or devices using ADS by March 1, 2022, to the state Department of Business Oversight (DBO); and annually thereafter. It would require DBO by Jan. 1, 2022, to create a procedure for businesses to use when making these reports; make information on that process available on its website; establish a process for non-compliance; and make violators subject to a civil penalty. The bill would also create an Automated Decision Systems Advisory Task Force from the public and private sectors to review and advise “on the use of automated decision systems in businesses, government, and various other settings.”

• Chau’s A.B. 2564 on cybersecurity declares the intent of the Legislature to improve the security of IT systems and connected devices “by requiring public agencies and businesses to develop security vulnerability disclosure policies.” In so doing, it would build on the California Emergency Services Act, which delineated the duties of the California Governor’s Office of Emergency Services (CalOES) — including establishing and leading the California Cybersecurity Integration Center to cut down on “cyber incidents.”

Theo Douglas is Assistant Managing Editor of Techwire.