Under existing law, there are various security requirements for private business entities that possess or access sensitive personally identifying information, including taking reasonable measures to protect the information from a breach of security, notification requirements in the event of a breach, and disposal requirements. This bill would require the Secretary of the Office of Information Technology to adopt rules to govern government entities that possess or access sensitive personally identifying information, including adopting the minimum standards of the National Institute of Standards and Technology Cybersecurity Framework.

Statutes affected:
Introduced: 8-38-2