October 17, 2017, Introduced by Senator BOOHER and referred to the Committee on Banking and Financial Institutions.
A bill to amend 1984 PA 431, entitled
"The management and budget act,"
(MCL 18.1101 to 18.1594) by adding section 466.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 466. (1) The cybersecurity council is created within the
department.
(2) The cybersecurity council shall consist of the following
11 members:
(a) The director of the department or his or her designee.
(b) The director of the department of talent and economic
development or his or her designee.
(c) The director of the department of state police or his or
her designee.
(d) The director of the department of military and veterans
affairs or his or her designee.
(e) The chief executive officer of the Michigan economic
development corporation or his or her designee.
(f) Six members appointed by the governor as follows:
(i) One representing the interests of institutions of higher
education.
(ii) One representing the interests of community colleges.
(iii) One representing the interests of the business community
with knowledge or experience in hospital operations.
(iv) One representing the interests of the business community
with knowledge or experience in retail operations.
(v) One representing the interests of the business community
with knowledge or experience in finance.
(vi) One representing the interests of the business community
with knowledge or experience in general business.
(3) The members first appointed to the cybersecurity council
shall be appointed within 90 days after the effective date of the
amendatory act that added this section.
(4) Members of the cybersecurity council shall serve for terms
of 4 years or until a successor is appointed, whichever is later,
except that of the members first appointed under subsection (2)(f),
2 shall serve for 2 years, 2 shall serve for 3 years, and 2 shall
serve for 4 years.
(5) If a vacancy occurs on the cybersecurity council, the
governor shall make an appointment for the unexpired term in the
same manner as the original appointment.
(6) The governor may remove a member of the cybersecurity
council for incompetence, dereliction of duty, malfeasance,
misfeasance, or nonfeasance in office, or any other good cause.
(7) The first meeting of the cybersecurity council shall be
called by the governor. At the first meeting, the cybersecurity
council shall elect from among its members a chairperson and other
officers as it considers necessary or appropriate. After the first
meeting, the cybersecurity council shall meet at least quarterly,
or more frequently at the call of the chairperson or if requested
by 6 or more members.
(8) A majority of the members of the cybersecurity council
constitute a quorum for the transaction of business at a meeting of
the cybersecurity council. A majority of the members present and
serving are required for official action of the cybersecurity
council.
(9) The business that the cybersecurity council may perform
shall be conducted at a public meeting of the cybersecurity council
held in compliance with the open meetings act, 1976 PA 267, MCL
15.261 to 15.275.
(10) The following records are exempt from disclosure under
the freedom of information act, 1976 PA 442, MCL 15.231 to 15.246:
(a) Records or information of measures designed to protect the
security or safety of persons or property, or the confidentiality,
integrity, or availability of information systems, whether public
or private, including, but not limited to, building, public works,
and public water supply designs to the extent that those designs
relate to the ongoing security measures of a public body,
capabilities and plans for responding to a violation of the
Michigan anti-terrorism act, chapter LXXXIII-A of the Michigan
penal code, 1931 PA 328, MCL 750.543a to 750.543z, emergency
response plans, risk-planning documents, threat assessments, and
domestic preparedness strategies, and cybersecurity plans,
cybersecurity assessments, or cybersecurity vulnerabilities, unless
disclosure would not impair a public body's ability to protect the
security or safety of persons or property or unless the public
interest in disclosure outweighs the public interest in
nondisclosure in the particular instance.
(b) Information that would identify or provide a means of
identifying a person that may, as a result of disclosure of the
information, become a victim of a cybersecurity incident or that
would disclose a person's cybersecurity plans or cybersecurity-
related practices, procedures, methods, results, organizational
information system infrastructure, hardware, or software.
(11) Members of the cybersecurity council shall serve without
compensation. However, members of the cybersecurity council may be
reimbursed for their actual and necessary expenses incurred in the
performance of their official duties as members of the
cybersecurity council.
(12) The cybersecurity council may request the assistance of
state agencies, departments, or offices to carry out its duties.
(13) Not later than December 1 of each year, the cybersecurity
council shall submit the report described in subsection (14) for
the immediately preceding fiscal year to all of the following:
(a) The director of the department.
(b) The governor.
(c) The lieutenant governor.
(d) The majority leader of the senate.
(e) The speaker of the house of representatives.
(f) The senate standing committee that has jurisdiction of
cybersecurity matters.
(g) The house of representatives standing committee that has
jurisdiction of cybersecurity matters.
(14) Each year, the cybersecurity council shall issue a report
detailing its activities for the fiscal year that includes, but is
not limited to, all of the following:
(a) Improving the infrastructure of this state's cybersecurity
operations with existing resources and through partnerships between
government, business, and institutions of higher education.
(b) Examining specific actions to accelerate the growth of
cybersecurity as an industry in this state.
(15) The cybersecurity council shall create and operate a
voluntary program that recognizes private and public entities
functioning with exemplary cybersecurity practices as determined by
the cybersecurity council. The voluntary program shall do all of
the following:
(a) Establish minimum protections for recognition in the
voluntary program.
(b) Establish an annual review of the minimum protections
described in subdivision (a).
(16) As used in this section:
(a) "Cybersecurity assessment" means an investigation
undertaken by a person, governmental body, or other entity to
identify vulnerabilities in cybersecurity plans.
(b) "Cybersecurity incident" includes, but is not limited to,
a computer network intrusion or attempted intrusion; a breach of
primary computer network controls; unauthorized access to programs,
data, or information contained in a computer system; or actions by
a third party that materially affect component performance or,
because of impact to component systems, prevent normal computer
system activities.
(c) "Cybersecurity plan" includes, but is not limited to,
information about a person's information systems, network security,
encryption, network mapping, access control, passwords,
authentication practices, computer hardware or software, or
response to cybersecurity incidents.
(d) "Cybersecurity vulnerability" means a deficiency within
computer hardware or software, or within a computer network or
information system, that could be exploited by unauthorized parties
for use against an individual computer user or a computer network
or information system.
Enacting section 1. This amendatory act does not take effect
unless Senate Bill No. 633
of the 99th Legislature is enacted into law.