What is a state entity expected to do if the California Highway Patrol (CHP) Computer Crimes Investigations Unit (CCIU) decides to not investigate the incident?

A state entity is expected to complete and submit the California Compliance and Security Incident Reporting System (Cal-CSIRS) incident report to the Office of Information Security (OIS). The CHP and CCIU criteria to investigate are not the same as the criteria to identify an incident and file an incident report with the OIS. These are separate paths.

The CHP CCIU may have many reasons for not pursuing a criminal investigation, such as insufficient evidence in which to build a case or an inability to meet a specific dollar threshold. The CHP CCIU’s decision not to investigate does not eliminate the requirements for agencies to conduct their administrative investigation and root cause analysis, to pursue appropriate administrative remedies and corrective actions, to submit a Cal-CSIRS incident report with the OIS or, if needed, to notify individuals that their personal information was improperly accessed or acquired.

The Cal-CSIRS incident report provides documentation and accountability in response to incidents. It helps the state entity identify and correct problems and control deficiencies within the state entity, and ensures that the head of the state entity is aware of the incident and its cause, so that he/she can direct the state entity’s response and corrective action plan to prevent similar occurrences in the future.