BILL ANALYSIS                                                                                                                                                                                                    



                                                                     AB 739


                                                                    Page  1





          Date of Hearing:  April 21, 2015 


                ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


                                  Mike Gatto, Chair


          AB 739  
          Irwin - As Amended April 16, 2015


          SUBJECT:  Civil law:  liability:  communication of cyber  
          security:  threat information


          SUMMARY:  Provides legal immunity from civil or criminal  
          liability for private entities that communicate anonymized cyber  
          security-threat information and meet specified requirements,  
          until January 1, 2020.  Specifically, this bill:  


          1)Declares that there shall be no civil or criminal liability  
            for, and no legal cause of action against, a private entity  
            that communicates cyber security-threat information to another  
            private entity or a state law enforcement entity in compliance  
            with the requirements of this bill.



          2)Requires that immunity from liability shall only apply if the  
            communication is made without the intent to injure, defraud,  
            or to otherwise endanger any individual or public or private  
            entity, and is made for one of the following purposes:



             a)   To address a vulnerability of a system, network, or  








                                                                     AB 739


                                                                    Page  2





               critical infrastructure component of a public or private  
               entity;



             b)   To prevent a threat to the integrity, confidentiality,  
               or availability of a system, network, or critical  
               infrastructure component of a public or private entity;



             c)   To provide support for cyber security crime  
               investigation;



             d)   To protect individuals and entities from personal or  
               economic harm; or 



             e)   To protect the state's economic interests, including,  
               but not limited to, networks, assets, and personal  
               information.



          3)Prohibits a private entity that communicates cyber  
            security-threat information from using that information to  
            gain an unfair competitive advantage, and further requires  
            that entity to do all of the following in good faith:

             a)   Make reasonable efforts to safeguard communications that  
               can be used to identify specific persons from unauthorized  
               access or acquisition;



             b)   Comply with any lawful restriction placed on the  








                                                                     AB 739


                                                                    Page  3





               communication, including the removal of information that  
               can be used to identify specific persons; 



             c)   Transfer the cyber security-threat information as  
               expediently as possible while upholding reasonable  
               protections; and,



             d)   Ensure, at a minimum, the appropriate anonymization and  
               minimization of such information.



          1)Defines "cyber security-threat information" as information  
            pertaining directly to one of the following:



             a)   A vulnerability of a system, network, or critical  
               infrastructure component of a public or private entity;



             b)   A threat to the integrity, confidentiality, or  
               availability of a system, network, or critical  
               infrastructure component of a public or private entity;



             c)   Efforts to deny access to, or to cause the degradation,  
               disruption, or destruction of a system, network, or  
               critical infrastructure component of a public or private  
               entity; and 











                                                                     AB 739


                                                                    Page  4





             d)   Efforts to gain unauthorized access to a system,  
               network, or critical infrastructure component of a public  
               or private entity.



          2)Declares that communication of cyber security-threat  
            information in compliance with these provisions and shared  
            with a public agency to be exempt from disclosure under the  
            California Public Records Act.

          3)Declares these provisions to become inoperative on January 1,  
            2020.


            


          4)Makes findings and declarations relative to the limitations  
            placed on the public's right of access to specified  
            information, and the state's strong interest in protecting its  
            information technology (IT) systems from intrusion.  
          EXISTING LAW:  


          1)Requires a person or business that owns, licenses, or  
            maintains personal information about a California resident to  
            implement and maintain reasonable security procedures and  
            practices appropriate to the nature of the information, to  
            protect the personal information from unauthorized access,  
            destruction, use, modification, or disclosure.  (Civil Code  
            (CC) Section 1798.81.5(b))



          2)Requires a person or business conducting business in  
            California, that owns or licenses computerized data that  
            includes personal information, as defined, to disclose in  
            specified ways, a breach of the security of the system or  








                                                                     AB 739


                                                                    Page  5





            data, as defined, following discovery or notification of the  
            security breach, to any California resident whose unencrypted  
            personal information was, or is reasonably believed to have  
            been, acquired by an unauthorized person.  (CC 1798.82)



          3)Establishes the Department of Technology (CalTech) within the  
            Government Operations Agency, headed by the Director of  
            Technology who is also known as the State Chief Information  
            Officer.  CalTech is responsible for the approval and  
            oversight of IT projects by, among other things, consulting  
            with agencies during initial project planning to ensure that  
            project proposals are based on well-defined programmatic  
            needs.  (Government Code (GC) Sections 11545, 12803.2)


          4)Requires each state agency to have a chief information officer  
            who is appointed by the head of the state entity, and is  
            responsible for supervising all IT, including information  
            security.  (GC 11546.1)


          5)Establishes the Office of Information Security (OIS) within  
            DOT, which is responsible for ensuring the confidentiality,  
            integrity, and availability of state systems and applications.  
             The law requires the OIS to develop an information security  
            program and establish policies, standards, and procedures  
            directing state agencies to effectively manage security and  
            risk. (GC 11549, et seq.)



          6)Provides, pursuant to the California Public Records Act, for  
            public access to public agencies' records, and requires that  
            public records be open to inspection and that every person has  
            the right to inspect any public record, with some exceptions.   
             (GC 6250, et seq.)









                                                                     AB 739


                                                                    Page  6





          FISCAL EFFECT:  Unknown


          COMMENTS:  


           1)Purpose of this bill  .  This bill is intended to increase the  
            sharing of time-sensitive cyber security threat information by  
            providing legal immunity to private parties who share  
            anonymized threat information, subject to certain safeguards.   
            The provisions of this bill would sunset on January 1, 2020.   
            AB 739 is author-sponsored. 

           2)Author's statement  .  According to the author, "This bill will  
            encourage cybersecurity information sharing by shielding  
            companies from lawsuits based upon that process of sharing  
            cybersecurity threat information.  The lack of such liability  
            protection has prevented further development of our  
            information sharing channels between the private sector and  
            government, and amongst private companies. 

            "The financial sector has been sharing information for the  
            purposes specified in this bill since 1999. In response to  
            critical incidents, other sectors have launched their own  
            cyber threat information sharing portals.  For example, the  
            retail sector recently launched the R-CISC to share  
            cybersecurity threat information between retailers, law  
            enforcement, the Department of Homeland Security and other  
            stakeholders. 

            "Cybersecurity crime accounts for an estimated $400 billion  
            global economic impact. California is the most targeted state  
            in the country with 17% of reported attacks or breaches  
            occurring within the state.  Prevention is the best policy and  
            this bill will provide protection for preventative information  
            sharing which empowers the private sector to take steps to  
            protect themselves and mitigate the risk in the larger  
            economy."









                                                                     AB 739


                                                                    Page  7





           3)California and the cyber security threat.   According to the  
            California Military Department, California's size and  
            prominence makes it vulnerable to cyber incidents that disrupt  
            business, shutdown critical infrastructure, and compromise  
            intellectual property or national security.  In 2012, 17  
            percent of the data breaches recorded in the United States  
            took place in California - more than any other state; and the  
            number of reported breaches in California increased by 28  
            percent in 2013.  According to a January 2015 report by the  
            California Attorney General's Office, 187 breaches were  
            reported to the California Department of Justice in 2014,  
            compared to 167 in 2013 and 131 in 2012.  CMD calls cybercrime  
            "a growth industry" causing $400 billion in negative impacts  
            annually on the global economy.     

          According to the Identity Theft Resource Center, there were 783  
            data breaches reported nationwide in 2014 - a 27.5 percent  
            increase over the previous year.  The Privacy Rights  
            Clearinghouse reports that more than 815 million records have  
            been compromised in more than 4,489 publicly acknowledged data  
            breaches since 2005.



           4)Existing efforts at threat information sharing  .  Cyber  
            security-threat information sharing is based on the idea that  
            the faster that individual entities share information about  
            cyber-attacks discovered on their networks, the faster other  
            entities can prepare more effective defenses - thereby  
            reducing vulnerability to cyber-attack across the entire  
            system.  

          Coordinated information sharing as a defensive tactic is not  
            new. One well-established example is the creation of the  
            Information Sharing and Analysis Centers (ISAC) for the  
            financial services industry by Presidential Decision Directive  
            63 in 1998. The directive requested the public and private  
            sector to create a partnership to share information about  
            physical and cyber threats, vulnerabilities, and events to  








                                                                     AB 739


                                                                    Page  8





            help protect the critical infrastructure of the United States.  
            After analysis by industry experts, alerts are delivered to  
            participants based on their level of service. Today there are  
            ISACs for fourteen critical infrastructures, such as financial  
            services, electric, energy and surface transportation.  

          Even non-critical infrastructure industries have set up their  
            own threat information systems.  For example, the retail  
            industry has developed the Retail Cyber Intelligence Sharing  
            Center which shares threat information between retailers, law  
            enforcement, the Department of Homeland Security and other  
            stakeholders.   



            However, faced with rapid growth in the number and  
            sophistication of attacks in recent years, there have  
            substantial efforts at the federal level and across the  
            country to better prepare for cyber-attacks and increase the  
            sharing of threat information.  In February 2013, the  
            President Signed Executive Order 13636, which calls for the  
            development of what the National Institute for Standards and  
            Technology (NIST) called "a voluntary risk-based Cybersecurity  
            Framework - a set of industry standards and best practices to  
            help organizations manage cyber security risks.  The resulting  
            Framework, created through collaboration between government  
            and the private sector, uses a common language to address and  
            manage cyber security risk in a cost-effective way based on  
            business needs without placing additional regulatory  
            requirements on businesses."  NIST issued its policy  
            recommendations in February 2014. 





            In February 2015, President Obama signed an Executive Order  
            that encourages the development of central clearinghouses  
            where information can be shared between the public and private  








                                                                     AB 739


                                                                    Page  9





            sectors quickly and securely.  



            There are also no fewer than four bills currently pending in  
            Congress, H.R.234 (Ruppersberger), H.R.1560 (Nunes), S.456  
            (Carper), and S.754 (Burr), that would variously codify  
            practices for threat information sharing, and in some cases  
            provided some form of legal immunity for threat information  
            sharing.  President Obama has also released a cyber-security  
            information sharing proposal with liability protections for  
            participants.



           5)Concerns about the current state of threat information  
            sharing  .  While there are multiple threat information-sharing  
            systems in place, there is some question as to how  
            comprehensive or effective those systems are.  

          According to a January 2015 article by securityweek.com, "Threat  
            information-sharing is a phrase that gets thrown often, but  
            there isn't much agreement on how organizations should be  
            working together or the methods they should be using? Some  
            forms of information sharing already exist-the ISACs for  
            various industries, including financial services, retail, and  
            industrial control systems are just a few examples. Industry  
            consortiums and groups have launched several sharing  
            platforms, such as the one from MITRE. But some organizations  
            remain wary about information-sharing for a myriad of reasons,  
            including competitive concerns, liability worries, and  
            reputation damage. Despite years of talking about it, there  
            are still roadblocks to effective, widespread information  
            sharing." 

          Effective information sharing also needs to happen quickly. A  
            recently released "2015 Data Breach Investigations Report"  
            from Verizon found that the speed with which threat  
            information moves - or 'herd alertness' - is critical to  








                                                                     AB 739


                                                                    Page  10





            limiting follow-on cyber-attacks.  The report found that,  
            "[b]ased on attacks observed by RiskAnalytics during 2014, 75%  
            of attacks spread from Victim 0 to Victim 1 within one day (24  
            hours). Over 40% hit the second organization in less than an  
            hour. That puts quite a bit of pressure on us as a community  
            to collect, vet, and distribute indicator-based intelligence  
            very quickly in order to maximize our collective  
            preparedness."
           
           6)Related legislation  .  AB 670 (Irwin) would require CalTech to  
            conduct security assessments of the IT resources of every  
            state agency, department or office at least once every two  
            years.  AB 670 is currently pending in the Assembly  
            Appropriations Committee.


            AB 1172 (Chau) would create a California Cyber Security Task  
            Force within the Governor's Office of Emergency Services to  
            act in an advisory capacity and make policy recommendations on  
            cyber security for the state of California.  AB 1172 is  
            currently set for hearing in the Assembly Privacy and Consumer  
            Protection Committee on April 21, 2015.  


           7)Prior legislation  . AB 2200 (Perez) of 2014 would have created  
            a 13-member California Cyber Security Steering Committee  
            within the Governor's Office of Emergency Services (OES), and  
            would have continued the existence of the California Cyber  
            Security Task Force until January 1, 2020.  This bill was held  
            at the Assembly Desk.


            SB 1286 (Corbett) of 2014 would have raised from $35 million  
            to $65 million the amount that the Public Utilities Commission  
            may devote to research and development projects for the  
            purposes of cyber security and grid integration.  This bill  
            was held in the Senate Rules Committee.










                                                                     AB 739


                                                                    Page  11








            SB 90 (Budget and Fiscal Review), Chapter 183, Statutes of  
            2007, created the Office of Information Security and Privacy  
            Protection within the State and Consumer Services Agency. The  
            duties of that office included providing direction for  
            information security and privacy to state government agencies;  
            conducting security assessments and review of any state  
            agency; providing educational information to consumers on  
            effective ways of protecting personal information; and  
            assisting in the prosecution of identity theft and other  
            privacy-related crimes.  





           8)Double-referral  .  This bill is double-referred to the Assembly  
            Judiciary Committee, where it will be heard on April 28, 2015,  
            if passed by this Committee. 



          REGISTERED SUPPORT / OPPOSITION:




          Support


          None received.




          Opposition









                                                                     AB 739


                                                                    Page  12






          None received.




          Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200