Bill Text: CA SB1218 | 2019-2020 | Regular Session | Amended


Bill Title: Electrical and gas delivery systems: cybersecurity threats.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced - Dead) 2020-04-01 - From committee with author's amendments. Read second time and amended. Re-referred to Com. on RLS. [SB1218 Detail]

Download: California-2019-SB1218-Amended.html

Amended  IN  Senate  April 01, 2020

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Senate Bill
No. 1218


Introduced by Senator Hill

February 20, 2020


An act to amend Section 394.3 add Chapter 4.6 (commencing with Section 8375) to Division 4.1 of the Public Utilities Code, relating to electricity. energy.


LEGISLATIVE COUNSEL'S DIGEST


SB 1218, as amended, Hill. Electric service providers: registration fee. Electrical and gas delivery systems: cybersecurity threats.
Under existing law, the Public Utilities Commission has regulatory authority over public utilities, including electrical corporations. Existing law requires electric service providers, which are entities that offer electrical service to customers within the service territory of an electrical corporation but that are not electrical corporations, to register with the commission and to disclose information to potential customers, as specified. Existing law authorizes the commission to accept, compile, and attempt to informally resolve consumer complaints regarding electric service providers and to initiate investigations into the activities of electric service providers where the commission reasonably suspects a pattern of customer abuses. Existing law authorizes the commission to enforce specified statutes with respect to electric service providers, but does not grant the commission jurisdiction to regulate electric service providers other than as specified. Existing law requires the commission to collect a registration fee of $100 from electric service providers and to deposit the registration fee in the Public Utilities Reimbursement Account. corporations and gas corporations, while local publicly owned electric utilities and local publicly owned gas utilities are under the direction of their governing boards. Existing law provides that the commission has no authority to establish rates or regulate the borrowing of money, the issuance of evidences of indebtedness, or the sale, lease, assignment, mortgage, or other disposal or encumbrance of the property of any electrical cooperative, but that electrical cooperatives are otherwise subject to the regulatory authority of the commission pursuant to the Public Utilities Act.

This bill would make a nonsubstantive revision to the requirement that electric service providers pay a $100 registration fee.

Existing law requires the commission to adopt inspection, maintenance, repair, and replacement standards, and to consider adopting rules to address the physical security risks to the distribution systems of electrical corporations, and requires the standards or rules to provide for high-quality, safe, and reliable service. Existing law requires the commission to also adopt standards for operation, reliability, and safety during periods of emergency and disaster. Existing law requires the commission, in setting its standards and rules, to consider cost, local geography and weather, applicable cybersecurity standards, potential physical security risks, national electrical industry practices, sound engineering judgment, and experience. Existing law requires the commission to conduct a review to determine whether the standards or rules have been met by an electrical corporation or gas corporation, including performing the review after every major outage. If the commission finds that the standards or rules have not been met, the commission is authorized to order appropriate sanctions, including penalties in the form of rate reductions or monetary fines.
This bill would require the commission to adopt inspection, detection, response, and replacement standards, and to adopt rules, to address the cybersecurity risks to the transmission and distribution systems of electrical corporations, electrical cooperatives, and gas corporations, and would require the standards or rules to provide for secure and reliable service. The bill would also require the commission to adopt standards for operation, reliability, and safety during periods of emergency and disaster. The bill would require the commission, in setting its standards or rules, to consider cost, applicable codes, potential cybersecurity risks, national security frameworks, sound engineering judgment, and experience. The bill would require the commission to conduct a review to determine whether the standards or rules have been met, including performing the review after every major service outage or data breach. The bill would require each electrical corporation, electrical cooperative, and gas corporation to report annually on its compliance with the standards or rules and provide that the report be made available to the public, but would authorize the commission, consistent with other provisions of law, to withhold from the public information generated or obtained that the commission determines would pose a security threat to the public if disclosed.
This bill would require each local publicly owned electric utility and local publicly owned gas utility to construct, maintain, and operate its electrical and gas transmission and distribution systems in a manner that will minimize the cybersecurity risks to those lines and equipment. The bill would require each local publicly owned electric utility and local publicly owned gas utility to annually prepare a cybersecurity plan and to present its plan to its governing board for review. The bill would authorize a local publicly owned electric utility or local publicly owned gas utility to contract with a qualified independent evaluator with experience in assessing the cybersecurity risk of electrical and gas infrastructure to review and assess the comprehensiveness of its cybersecurity plan, and would require any independent evaluator so retained to issue a report and to present the findings of the report at a meeting of the governing board. The bill would authorize the governing board, consistent with other provisions of law, to withhold from the public information generated or obtained pursuant to the bill’s requirements that the governing board determines would pose a security threat to the public if disclosed.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
The California Constitution requires local agencies, for the purpose of ensuring public access to the meetings of public bodies and the writings of public officials and agencies, to comply with a statutory enactment that amends or enacts laws relating to public records or open meetings and contains findings demonstrating that the enactment furthers the constitutional requirements relating to this purpose.
This bill would make legislative findings to that effect.
Under existing law, a violation of the Public Utilities Act or any order, decision, rule, direction, demand, or requirement of the commission is a crime.
Because this bill would require action by the commission to implement its requirements with respect to electrical corporations, electrical cooperatives, and gas corporations and a violation of the standards or rules adopted by the commission would be a crime, the bill would impose a state-mandated local program by expanding the definition of a crime. By placing additional duties on local publicly owned electric utilities and gas utilities, the bill would impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for specified reasons.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NOYES   Local Program: NOYES  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) Cyber threats to the electrical and gas transmission and distribution system present risks to public health and safety and could disrupt economic activity in California.
(b) Ensuring appropriate actions are taken to protect and secure vulnerable system assets from cyber threats that could disrupt safe and reliable electrical or gas service, or disrupt essential public services, are in the public interest.
(c) Proper planning, in coordination with the appropriate federal and state regulatory and law enforcement authorities, will help prepare for cyber attacks on the electrical and gas delivery system and thereby help reduce the potential consequences of those attacks.

SEC. 2.

 Chapter 4.6 (commencing with Section 8375) is added to Division 4.1 of the Public Utilities Code, to read:
CHAPTER  4.6. Energy Infrastructure Security

8375.
 (a) The commission shall adopt inspection, detection, response, and replacement standards, and shall, in an existing proceeding, adopt rules, to address the cybersecurity risks to the transmission and distribution systems of electrical corporations, electrical cooperatives, and gas corporations. The standards or rules, which shall be prescriptive or performance based or both, and may be based on risk management, as appropriate, for each substantial type of equipment or facility, shall provide for secure and reliable service. The commission shall also adopt standards for operation, reliability, and safety during periods of emergency and disaster.
(b) In setting its standards or rules, the commission shall consider cost, applicable cybersecurity standards, potential cybersecurity risks, national security frameworks, sound engineering judgment, and experience. The commission shall require each electrical corporation, electrical cooperative, and gas corporation to report annually on its compliance with the standards or rules. Except as provided in subdivision (d), that report shall be made available to the public.
(c) The commission shall conduct a review to determine whether the standards or rules prescribed in this section have been met by an electrical corporation, electrical cooperative, or gas corporation. If the commission finds that the standards or rules have not been met, the commission may order appropriate sanctions, including penalties in the form of rate reductions or monetary fines. The review shall be performed after every major service outage or data breach.
(d) The commission may, consistent with other provisions of law, withhold from the public information generated or obtained pursuant to this section that the commission determines would pose a security threat to the public if disclosed.

8377.
 (a) Each local publicly owned electric utility and local publicly owned gas utility shall construct, maintain, and operate its electrical and gas transmission and distribution systems in a manner that will minimize the cybersecurity risks to those lines and equipment.
(b) Each local publicly owned electric utility and local publicly owned gas utility shall annually prepare a cybersecurity plan and shall present its plan to its governing board for review.
(c) A local publicly owned electric utility or local publicly owned gas utility may contract with a qualified independent evaluator with experience in assessing the cybersecurity risk of electrical and gas infrastructure to review and assess the comprehensiveness of its cybersecurity plan. An independent evaluator that is retained to review and assess the comprehensiveness of a utility’s cybersecurity plan shall issue a report and shall present the findings of the report at a meeting of the governing board. While it is the intent of the Legislature that reasonable effort be given to make information available to the public, nothing in this section limits the authority of the governing body to hold a closed session pursuant to Section 54957 of the Government Code.
(d) The governing board may, consistent with other provisions of law, withhold from the public information generated or obtained pursuant to this section that it deems would pose a security threat to the public if disclosed.

SEC. 3.

 The Legislature finds and declares that Section 2 of this act, which adds Sections 8375 and 8377 to the Public Utilities Code, imposes limitations on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
The disclosure of information pertaining to cybersecurity threats and those measures being undertaken to protect critical energy delivery infrastructure from cybersecurity threats could pose a substantial security threat to the public and appropriately limiting access to that information will protect the public health and safety.

SEC. 4.

 The Legislature finds and declares that Section 2 of this act, which adds Sections 8375 and 8377 to the Public Utilities Code, furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the Legislature makes the following findings:
By appropriately limiting the disclosure of information pertaining to cybersecurity threats and those measures being undertaken to protect critical energy delivery infrastructure from cybersecurity threats, the disclosure of which could pose a substantial security threat to the public, this bill will protect the public health and safety and furthers the purpose of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution.

SEC. 5.

 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because a local agency or school district has the authority to levy service charges, fees, or assessments sufficient to pay for the program or level of service mandated by this act or because costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.
SECTION 1.Section 394.3 of the Public Utilities Code is amended to read:
394.3.

To carry out essential elements of a sustainable and effective consumer protection program in connection with electric service providers offering electrical service to residential and small commercial customers as intended by the Legislature in this article, the following shall apply:

(a)The commission shall collect a registration fee of one hundred dollars ($100) from electric service providers required to register under this article, and deposit the fee proceeds in the Public Utilities Reimbursement Account established pursuant to Section 402.

(b)The commission shall annually determine the costs of administering the registration program and other facets of consumer protection directly related to the direct access transactions of electric service providers. The commission shall collect only those costs not already being collected elsewhere. A registrant who fails to submit to the commission a required fee or a piece of information upon which fees are calculated within 30 days of billing shall be subject to a 15-percent penalty.

feedback