Bill Text: CA AB2355 | 2021-2022 | Regular Session | Chaptered
Bill Title: School cybersecurity.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2022-09-23 - Chaptered by Secretary of State - Chapter 498, Statutes of 2022. [AB2355 Detail]
Download: California-2021-AB2355-Chaptered.html
Assembly Bill
No. 2355
CHAPTER 498
An act to add and repeal Article 8.5 (commencing with Section 35265) of Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, relating to school security.
[
Approved by
Governor
September 23, 2022.
Filed with
Secretary of State
September 23, 2022.
]
LEGISLATIVE COUNSEL'S DIGEST
AB 2355, Salas.
School cybersecurity.
Existing law prohibits a school district from permitting access to pupil records to a person without written parental consent or under judicial order except as authorized by specified state and federal law.
Existing law requires the Office of Emergency Services to establish and lead the California Cybersecurity Integration Center with a primary mission to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in our state.
This bill would require a school district, county office of education, or charter school to report any cyberattack, as defined, impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center. By imposing new duties on local educational
agencies, the bill would constitute a state-mandated local program. The bill would require the California Cybersecurity Integration Center to establish a database that tracks reports of cyberattacks submitted by local educational agencies and to annually, by January 1, submit a report to the Governor and the relevant policy committees of the Legislature with specified information related to cyberattacks or data breaches of local educational agencies.
This bill would repeal those provisions as of January 1, 2027.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for
those costs shall be made pursuant to the statutory provisions noted above.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YESBill Text
The people of the State of California do enact as follows:
SECTION 1.
Article 8.5 (commencing with Section 35265) is added to Chapter 2 of Part 21 of Division 3 of Title 2 of the Education Code, to read:Article 8.5. Cybersecurity
35265.
For purposes of this article, the following definitions apply:(a) “California Cybersecurity Integration Center” or “Center” means the California Cybersecurity Integration Center established by the Office of Emergency Services pursuant to Section 8586.5 of the Government Code.
(b) “Cyberattack” means either of the following:
(1) Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.
(2) The unauthorized denial of access to legitimate users of a computer system, computer network,
computer program, or data.
(c) “Local educational agency” means a school district, county office of education, or charter school.
35266.
(a) A local educational agency shall report any cyberattack impacting more than 500 pupils or personnel to the California Cybersecurity Integration Center.(b) (1) The California Cybersecurity Integration Center shall establish a database that tracks reports of cyberattacks submitted by local educational agencies pursuant to this section. The Center shall annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on local educational agencies, the types and number of data breaches affecting local educational agencies that have been reported to the Attorney General pursuant to Sections 1798.29 and 1798.82 of the Civil Code,
any activities provided by the Center to prevent cyberattacks or data breaches of a local educational agency, and support provided by the Center following a cyberattack or data breach of a local educational agency.
(2) The Attorney General shall share sample copies of data breach notifications received from local educational agencies pursuant to Sections 1798.29 and 1798.82 of the Civil Code, excluding any personally identifiable information, with the Center for the purpose of compiling this report.
(c) Nothing in this section shall be construed to affect any disclosure or notification requirements pursuant to Sections 1798.29 and 1798.82 of the Civil Code.
