IT recommends amendments to cybersecurity reporting bill, warns of overly broad reporting and sharing authority

Zach, the county’s IT representative, briefed the board on H34055, a bill to coordinate cybersecurity incident reporting with the state. Zach said the county supports the bill’s goal of information sharing but 'opposes without amendments' because the draft lacks objective definitions of a cybersecurity incident and could require reporting live vulnerabilities and remediation plans within 48 hours, diverting limited staff resources during an active incident.

He also warned section 4(b) could grant the state Chief Security Officer overly broad authority to share county vulnerability information and remediation plans with unspecified parties, which could expose sensitive operational details. Zach recommended adopting objective thresholds and reporting standards that mirror existing HIPAA-style triggers (e.g., initial status, date/time, incident type) rather than broad immediate disclosures.

Commissioners discussed the varying capacity across Oregon’s 36 counties and asked whether the state SOC (security operations center) and existing state resources could be explicitly listed as part of the coordination framework so smaller counties could access assistance; Zach confirmed the state SOC exists but is not mentioned in the current draft and recommended tailoring reporting obligations to county capacity.

Why it matters: cybersecurity incidents can affect core county services and sensitive infrastructure; vague statutory requirements could inadvertently hamper incident response or expose vulnerabilities. County IT recommended authoring targeted amendments to clarify definitions, reporting windows, and legitimate recipients of sensitive information.

What’s next: the county will keep the bill at 'oppose without amendments' for now and work with drafters on objective reporting standards and clearer limits on state sharing authority.