California governor signs cyber assessments bill

SACRAMENTO, Calif. — A new law signed by Gov. Jerry Brown aims to step up cybersecurity efforts in the Golden State.

Under the law, California’s Department of Technology’s Office of Information Security, in collaboration with the state’s Office of Emergency Services, must require at least 35 annual network security assessments across state government.

Agencies and departments will prioritize programs for an assessment based on how often the program deals with sensitive personal data, like health and financial records, and how well it plans for and recovers from cybersecurity incidents. The state’s Military Department will take the lead on performing the risk assessments under the law, which goes into effect Jan. 1, 2016.

“Cybersecurity attacks are on the rise and California state government is a priority target because of the value and sheer size of its networks and data,” Assemblymember Jacqui Irwin, who authored the bill, said in a statement. “The state bears a responsibility in actively defending the information it collects as well as the critical networks that Californians rely on for services. [Assembly Bill 670] will make sure those steps are taken.”

Cyberattacks have become larger, more frequent and more sophisticated, according to a recent report from the California State Auditor. Retailers, financial institutions, and state and local governments have all been compromised in recent years.

Morgan Culbertson, Irwin’s communication director, told StateScoop the bill will predominantly affect larger state agencies, like the Department of Motor Vehicles and the Franchise Tax Board. The bill’s cost of implementation could reach up to $40,000, but is determined by the size of the agencies being assessed, Culbertson said. She added agencies are already funded for these risk assessments.

“It was a policy but not a law or a mandate,” Culbertson said. “They can’t just sit idly by and wait for them to it themselves.”