SACRAMENTO, Calif. — California has updated a guide meant to help state agencies better safeguard citizens’ personal information, but some question whether the new changes will do enough to boost security in agencies’ systems.
The California Department of Technology amended the State Information Management Manual this month to reflect updated data breach notification laws. The laws, which passed in October 2015 and went into effect at the beginning of the year, established a new definition of encryption, expanded the definition of personal information, and outlined specific language and forms for reporting those breaches.
State Assembly Member Ling Ling Chang, a data privacy advocate, said the legislation and subsequent update is a good start — noting the new encryption definition established “a stronger and more dynamic safeguard” — but cautioned that threats still loom.
“In some ways these laws strike an appropriate balance and in other ways they may represent false security,” Chang wrote in an email to StateScoop. “For example, it’s nice to focus on encryption, but encryption is not the same as information privacy or even security.”
Maya Wallace — who served in California’s auditing agency for six years and currently works with local governments to create technology to improve citizen access to government services — acknowledged some of the challenges of creating a cybersecurity policy.
“It’s hard to build a law that can anticipate every potential scenario,” Wallace told StateScoop. “It’s a wild, wild world, it’s not really easy to manage.”
At the same time, she would also like the timeline for informing victims of a breach to be re-examined, noting that changes would need to be sensitive to industry needs as well.
“You don’t want to tip off whoever’s been rooting around in your information that you know and you’re working on a solution,” Wallace said.
Meanwhile, Assembly Member Ed Chau, an author of one of the laws, defended the update. He told StateScoop in an email that the legislation improves on the state’s previous cyber policies.
“Prior to the enactment of AB 964 into law, so long as data was encrypted in any fashion, however negligible, no notice was required despite the potential vulnerability of the information to decryption,” Chau said.
While the Department of Technology wouldn’t speak to whether the update went far enough, spokeswoman Teala Schaff did say California uses best practices for its cybersecurity and goes “above and beyond what the federal government actually requires.” She added that the state’s systems have never been hacked.
Chang acknowledges that all state agencies and lawmakers aim to better safeguard Californians’ data. But she said more could be done.
“We all have the goal of better protecting the privacy of Californians,” Chang said. But the “state government’s cybersecurity system is not what it should be even though it is the target of thousands of hacking attempts every month.”