[Section 4662 repealed effective June 30, 2028.]

§ 4662. Cybersecurity Advisory Council

(a) Creation. There is created the Cybersecurity Advisory Council to advise on the State‘s cybersecurity infrastructure, best practices, communications protocols, standards, training, and safeguards.

(b) Membership. The Council shall be composed of the following members:

(1) the Chief Information Officer, who shall serve as the Chair or appoint a designee from the Council to serve as the Chair;

(2) the Chief Information Security Officer;

(3) a representative from a distribution or transmission utility, appointed by the Commissioner of Public Service;

(4) a representative from a State municipal water system, appointed by the Secretary of Natural Resources;

(5) a representative from a Vermont hospital, appointed by the President of the Vermont Association of Hospitals and Health Systems;

(6) a person representing a Vermont business related to an essential supply chain, appointed by the Chair of the Vermont Business Roundtable;

(7) the Director of Vermont Emergency Management or designee;

(8) the Governor’s Homeland Security Advisor or designee;

(9) the Vermont Adjutant General or designee;

(10) the Attorney General or designee; and

(11) the President of Vermont Information Technology Leaders or designee.

(c) Powers and duties. The Council shall have the following duties:

(1) develop a strategic plan for protecting the State’s public sector and private sector information and systems from cybersecurity attacks;

(2) evaluate statewide cybersecurity readiness and develop and share best practices for policies and procedures to strengthen administrative, technical, and physical cybersecurity safeguards as a resource for State government, Vermont businesses, and the public;

(3) build relationships and conduct outreach within State government and to federal government and the private sector to ensure the resilience of electronic information systems;

(4) build strong partnerships with local universities and colleges in order to leverage cybersecurity resources;

(5) conduct an inventory and review of cybersecurity standards and protocols for critical sector infrastructures and make recommendations on whether improved or additional standards and protocols are necessary; and

(6) identify and advise on opportunities to:

(A) ensure Vermont promotes, attracts, and retains a highly skilled cybersecurity workforce;

(B) raise citizen awareness through outreach and public service announcements;

(C) provide technical capabilities, training, and advice to local government and the private sector;

(D) provide recommendations on legislative action to the General Assembly to protect critical assets, infrastructure, services, and personally identifiable information;

(E) advise on strategic, operational, and budgetary impacts of cybersecurity on the State;

(F) engage State and federal partners in assessing and managing risk;

(G) investigate ways the State can implement a unified cybersecurity communications and response, including recommendations for establishing statewide communication protocols in the event of a cybersecurity incident; and

(H) access cyber-insurance, including how to increase availability and affordability of cyber-insurance for critical industries.

(d) Assistance. The Council shall have the administrative and technical assistance of the Agency of Digital Services.

(e) Working groups and consultations.

(1) The Council may establish interagency working groups to support its charge, drawing membership from any State agency or department.

(2) The Council may consult with private sector and municipal, State, and federal government professionals for information and advice on issues related to the Council’s charge.

(f) Meetings.

(1) A majority of the membership shall constitute a quorum.

(2) The Council shall meet at least quarterly.

(3)(A) In addition to 1 V.S.A. § 313, the Council is authorized to enter into an executive session to consider:

(i) testimony from a person regarding details of a cybersecurity incident or response to that incident, the disclosure of which would jeopardize public safety; or

(ii) any evaluations, recommendations, or discussions of cybersecurity standards, protocols, and incident responses, the disclosure of which would jeopardize public safety.

(B) Members of the Council and persons invited to testify before the Council shall not disclose to the public information, records, discussions, and opinions stated in connection to the Council’s work if the disclosure would jeopardize public safety.

(g) Reports. On or before January 15 each year, the Council shall submit a written report to the House Committees on Commerce and Economic Development, on Environment and Energy, on Government Operations and Military Affairs, and on Ways and Means and the Senate Committees on Economic Development, Housing and General Affairs, on Finance, and on Government Operations with a status update on the work of the Council and any recommendations for legislative action. The provisions of 2 V.S.A. § 20(d) (expiration of required reports) shall not apply to the report to be made under this subsection.

(h) Public Records Act exemption. Any records or information produced or acquired by the Council regarding cybersecurity standards, protocols, and incident responses, if the disclosure would jeopardize public safety, shall be kept confidential and shall be exempt from public inspection or copying under Vermont’s Public Records Act. Notwithstanding 1 V.S.A. § 317(e), the Public Records Act exemption created in this section shall continue in effect and shall not be reviewed for repeal.

(i) Compensation and reimbursement. Members of the Council who are not otherwise compensated or reimbursed for their attendance shall be entitled to per diem compensation and reimbursement of expenses as permitted under 32 V.S.A. § 1010. These payments shall be made from monies appropriated to the Agency of Digital Services. (Added 2023, No. 71, § 1, eff. July 1, 2023; repealed on June 30, 2028 by 2023, No. 71, § 4.)