Report 2021-602 Recommendation Responses

Report 2021-602: State High-Risk Update—Information Security: The California Department of Technology's Inadequate Oversight Limits the States Ability to Ensure Information Security (Release Date: January 2022)

Recommendation for Legislative Action

To strengthen the information security practices of reporting entities, the Legislature should amend state law to require that CDT confidentially submit an annual statewide information security status report, including the maturity metric scores it has calculated and the results of the nationwide review, to the appropriate legislative committees no later than December 2022. This status report should include CDT's plan for assisting reporting entities in improving their information security.

Description of Legislative Action

As of February 6, 2023, the Legislature has not taken additional action to address this specific recommendation.

AB 2190 (Irwin, 2022) would have required the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee, with the first report required to be submitted no later than January 2023. The bill would have also required the status report and any information or records included with the status report to be confidential and prohibited the information or records from being disclosed. This bill died in the Senate.

California State Auditor's Assessment of Status: Legislation Proposed But Not Enacted


Description of Legislative Action

AB 2190 (Irwin, 2022) would have required the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection and the Senate Governmental Organization Committee, with the first report required to be submitted no later than January 2023. The bill would have also required the status report and any information or records included with the status report to be confidential and to prohibit the information or records from being disclosed. This bill died in the Senate.

California State Auditor's Assessment of Status: Legislation Proposed But Not Enacted


Description of Legislative Action

AB 2190 (Irwin, 2022) would require the chief of the CDT Office of Information Security to submit an annual statewide information security status report to the Assembly Committee on Privacy and Consumer Protection, with the first report required to be submitted no later than January 2023. The bill would require the status report and any information or records included with the status report to be confidential and prohibit the information or records from being disclosed.

California State Auditor's Assessment of Status: Legislation Introduced


All Recommendations in 2021-602