Criminal record: [file missing]

CYBERSLEUTH

California Gov. Jerry Brown's proposed 2017 budget, released Jan. 10, requests $179.5 billion to fund state operations. That budget includes a paltry $9.9 million to fund cybersecurity for the entire state. By way of comparison, the budget includes $52.2 million for the regulation of cannabis in 2017.

The $9.9 million funding will be spread across 12 agencies, including the Department of Transportation, California Highway Patrol, State Controller's Office, State Treasury, State Teacher's Retirement System and the Department of Alcoholic Beverage Control. Noticeably absent is the judiciary.

It is surprising that Brown isn't doing more to protect the state's computer networks and technology because the state has already been the target of hackers. In March 2014, the Department of Motor Vehicles reported that its credit card processing service (provided by an outside company) had been hacked. The hacker reportedly stole six months of data, including credit card numbers, and the three-digit security code for those cards. It was not disclosed how many credit card holders' data was stolen.

In the California Data Breach Report issued last February, the California Department of Justice found that there have been 657 data breaches, affecting a total of over 49 million records of Californians between 2012 and 2015. That means that three out of five Californians had their personal data breached. The two hardest hit industry sectors were retail and financial/insurance, but the report concludes that 5 percent of the data breaches were at California government agencies.

The report did not identify the specific agencies that had data breaches, but it did identify the manner in which breaches occurred. The vast majority of breaches in the retail and hospitality industries were the result of hacking or malware. Interestingly, only 15 percent of data breaches at California agencies were due to hacking or malware. More than twice as many government data breaches, 32 percent, were due to due to physical breaches, meaning breaches due to theft or loss of unencrypted data on computers, storage devices, or even on paper. Alarmingly, 50 percent of government data breaches were due to "errors," which the study defined as "sending information by email to unintended persons, disposing of digital devices without first 'wiping' the data, and unintentionally making information available to unauthorized persons by posting it on a website."

The most common type of data stolen was Social Security numbers (47 percent), followed by medical information (36 percent), payment card information (32 percent) and driver's license information (17 percent).

Theft of credit card information from state agencies is bad enough, but failing to mount a serious effort at preventing (or at least quickly detecting) cyberattacks could create much more alarming results if other types of information or systems were targeted.

In 2001 ComputerWorld reported that hackers broke into computer systems owned by the California Independent System Operator (Cal-ISO), an independent entity that oversees the transmission of electricity on California's power grid. The breach was reportedly undetected for 17 days. Cal-ISO reported at the time that no damage was done to its computer systems, so experts speculated that the motive of the hackers was to collect information about the California electric grid and possibly to identify vulnerabilities.

Over the last few years, the vulnerability of the electric grid has increased. In 2009, the governor signed into law legislation that moves the state to a so-called "smart grid" that includes electronic technologies that allow for monitoring and control of the grid, including dynamic load balancing and enabling pricing for energy by time of day. Last year there were reports that Russian hackers were targeting the U.S. electric grid and successfully placed malware on a computer at Burlington Electric, a Vermont energy utility.

An attack on California's law enforcement or court system would be even worse. While no reports have been published of such attacks, the motivation is obvious. The most innocuous attack might attempt to obtain credit card information stored in court computers used to pay filing fees or copying charges. Hackers might also attempt to breach computer systems to obtain highly confidential information filed with the court under seal.

But the biggest threat might be individuals whose hired hackers break into court records in order to alter or delete criminal convictions or embarrassing or sensitive information. Personal data stolen in cyberattacks outside of the court system could also be used to foul law enforcement and court records. The Data Breach Report cited examples in which cyberthieves have provided stolen Social Security numbers when arrested, thereby creating fraudulent criminal records in someone else's name. The report notes that such fraud "can take months or sometimes years to detect. Even when detected, undoing the damage can be very challenging because it is almost never possible to change your Social Security number." Even if the fraudulent records are corrected, the hackers still have the stolen Social Security numbers and "can revictimize individuals repeatedly for years," the report notes.

The effort to guard against cyberattacks on critical state computer systems and networks must occur before the attack. Gov. Brown's budget does little to address this problem even though there is funding available. The budget includes an $8 billion "rainy day" fund, some of which could be used to begin a meaningful effort to install technology, hire experts and train government employees to prevent cyberattacks. Rainy days are here.

Anita Taff-Rice is the founder of a iCommLaw, a law firm specializing in technology and telecommunications issues. She may be reached at anita@icommlaw.com.