California Gov. Newsom signs K-12 cyber reporting bill

California Gov. Gavin Newsom last week signed a bill requiring grade schools to report cyberattacks and other breaches to the state’s cybersecurity team.

The new law encompasses K-12 districts, county education boards and charter schools, requiring those organizations to report any incident that affects at least 500 students — or other individuals — to the California Cybersecurity Integration Center, a multi-agency security operations center in Sacramento. It’ll also order the center — which is run by the California Office of Emergency Services, in conjunction with the California Department of Technology, California Highway Patrol and National Guard — to create a registry of cyberattacks reported by local education systems.

California lawmakers approved AB 2355, introduced by Assemblymember Rudy Salas, a Central Valley Democrat, on Aug. 25. A few weeks later, the Los Angeles Unified School District — the nation’s second-biggest K-12 system, with roughly 665,000 students — reported suffering a ransomware attack. That incident, which has been attributed to the Vice Society group, resulted in the district’s board granting Superintendent Alberto Carvalho emergency spending powers as it continues recovering.

Salas’ office did not reply to requests for comment.

California law currently requires state agencies and private companies to report breaches affecting more than 500 individuals to the California Cybersecurity Integration Center.

Several other states in the past few years have created new cyber incident reporting requirements, including Indiana, New Hampshire, North Carolina and Virginia.