12168.7. (a) The Legislature hereby recognizes the need to adopt uniform statewide standards for the purpose of storing and recording public records in electronic media or in a cloud computing storage service.
(b) In order to ensure that uniform statewide standards remain current and relevant, the Secretary of State, in consultation with the Department of Technology, shall approve and adopt appropriate uniform statewide standards by using standards that are accredited by the American National Standards Institute or other applicable industry-recognized standards making body, including the International Organization for Standardization TR 15801:2017 or successor standard, for storing and recording public records in electronic media or in a cloud computing storage service.
(c) (1) The standards specified in subdivision (b) shall include a requirement that a trusted system be utilized. For this purpose and for purposes of Sections 25105, 26205, 26205.1, 26205.5, 26907, 27001, 27322.2, 27361.4, 34090.5, and 60203, Section 102235 of the Health and Safety Code, and Section 10851 of the Welfare and Institutions Code, “trusted system” means a combination of technologies, policies, and procedures for which there is no plausible scenario in which a public record retrieved from or reproduced by the system could differ substantially from the public record that is originally stored.
(2) For a state agency that stores and records public records pursuant to this section, the uniform statewide standards specified in subdivision (b) shall include a definition of “trusted system” that combines the various elements of trusted systems specified in this section.
(d) (1) A cloud computing storage service that complies with International Organization for Standardization ISO/IEC 27001:2013, or other applicable industry-recognized standards relating to techniques and information security management, and that provides administrative users with controls to prevent stored public records from being overwritten, deleted, or altered, shall be considered a trusted system.
(2) Notwithstanding paragraph (1), all public records stored or recorded in electronic media or in a cloud computing service by a state agency shall comply with a trusted system as defined in the uniform statewide standards adopted pursuant to subdivision (b).
(e) A trusted system using cloud computing storage service shall also comply with applicable standards articulated in the State Administrative Manual and the Statewide Information Management Manual. This requirement applies to state agencies and does not apply to local government entities, except to local government entities that have a system interconnection or data exchange with a state agency, or that contract with a state agency, for the development, use, or maintenance of an information system, product, solution, or service.
(f) (1) A state agency, prior to establishing an information technology system interconnection or data exchange with a local government entity or otherwise partnering with a local government entity for the development, use, or maintenance of an information technology system, product, or service, shall first enter into a written agreement with that local government entity for the purpose of establishing mutually agreeable terms that protect relevant public records.
(2) The requirements of paragraph (1) shall apply prospectively, after the effective date of this subdivision, to new agreements of the types specified and to existing agreements of the types specified when they are considered for renewal.
(g) For the purposes of this section, the following definitions shall apply:
(1) “Cloud computing” has the same definition as the term is defined by the National Institute of Standards and Technology Special Publication 800-145, or a successor publication, and includes the service and deployment models referenced therein.
(2) “Public records” includes permanent and nonpermanent documents.
(3) “State agency” has the same meaning as that term is defined in Section 11000.
(h) The Secretary of State shall ensure that microfilming, electronic data imaging, and photographic reproduction are done in compliance with the minimum standards or guidelines, or both, as recommended by the American National Standards Institute for recording of public records or any other applicable and comparable industry standard.
(i) Nothing in this section shall prohibit a local government entity from adopting applicable standards articulated in the Secretary of State’s uniform statewide standards for Trustworthy Electronic Document or Record Preservation, the State Administrative Manual, or the Statewide Information Management Manual for purposes of utilizing a trusted system as defined in subdivision (c).
(j) This section shall remain in effect only until January 1, 2026, and as of that date is repealed.
(Amended by Stats. 2019, Ch. 41, Sec. 1. (AB 212) Effective January 1, 2020. Repealed as of January 1, 2026, by its own provisions. See later operative version added by Sec. 2 of Stats. 2019, Ch. 535.)