(a) To be eligible to establish an electronic recording delivery system, a county recorder shall contract with, and obtain a report from, a computer security auditor selected from a list of computer security auditors approved by the Attorney General.

(b) The Attorney General shall approve computer security auditors on the basis of significant experience in the evaluation and analysis of internet security design, the conduct of security testing procedures, and specific experience performing internet penetration studies. The Attorney General shall complete the approval of security auditors within 90 days of a request from a county recorder. The list shall be a public record.

(c) An electronic recording delivery system shall be audited, at least once during the first year of operation and periodically thereafter, as set forth in regulation and in the system certification, by a computer security auditor. The computer security auditor shall conduct security testing of the electronic recording delivery system. The reports of the computer security auditor shall include, but not be limited to, all of the following considerations:

(1) Safety and security of the system, including the vulnerability of the electronic recording delivery system to fraud or penetration.

(2) Results of testing of the system’s protections against fraud or intrusion, including security testing and penetration studies.

(3) Recommendations for any additional precautions needed to ensure that the system is secure.

(d) Upon completion, the reports and any response to any recommendations shall be transmitted to the board of supervisors, the county recorder, the county district attorney, and the Attorney General. These reports shall be exempt from disclosure under the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1).

(e) A computer security auditor shall have access to any aspect of an electronic recording delivery system, in any form requested. Computer security auditor access shall include, but not be limited to, permission for a thorough examination of source code and the associated approved escrow facility, and necessary authorization and assistance for a penetration study of that system.

(f) If the county recorder, a computer security auditor, a district attorney for a county participating in the electronic recording delivery system, or the Attorney General reasonably believes that an electronic recording delivery system is vulnerable to fraud or intrusion, the county recorder, the board of supervisors, the district attorney, and the Attorney General shall be immediately notified. The county recorder shall immediately take the necessary steps to guard against any compromise of the electronic recording delivery system, including, if necessary, the suspension of an authorized submitter or of the electronic recording delivery system.

(Amended by Stats. 2021, Ch. 615, Sec. 190. (AB 474) Effective January 1, 2022. Operative January 1, 2023, pursuant to Sec. 463 of Stats. 2021, Ch. 615.)