The incident reporting criteria used to only require the reporting of a loss or theft of state-owned Information Technology (IT) equipment valued at $2,000 or more, but the state policy now requires agencies to report any loss or theft of state-owned IT equipment or any electronic devices containing or storing personal, sensitive, or confidential data. Why did it change from the previous dollar threshold of $2,000?

The dollar threshold was removed for various reasons. One important reason is that many devices or equipment can be purchased today for very low costs. For example, laptops can be purchased for less than $800, but the data on them can be at high risk if lost or stolen. Another important reason is that the state must be able to track and assess the impact of security incidents from a statewide perspective. It is important to report any loss of state IT equipment, especially those devices that store or contain data/information. The information collected by the Office of Information Security, the California Highway Patrol, and other agencies from these reports can indicate trends, and help the state focus on finding solutions to address issues affecting all or multiple agencies.