New Law Requires Local Public Agencies in California To Notify Anyone Affected by a Security Breach

Cities, Counties, Special Districts and School Districts Must Now Notify Those Impacted by Security Breaches

Gov. Jerry Brown recently signed Assembly Bill 1149 (AB 1149) and Senate Bill 46 (SB 46) into law, extending the requirements of the state’s information privacy breach notice law to local public agencies and expanding the scope of personal information that prompts a disclosure of a security breach.

California’s security breach notification law requires state agencies and businesses to notify residents when the security of their personal information has been breached. The disclosure must be made as quickly as possible and without unreasonable delay. Previous law did not place similar disclosure requirements on local public agencies. 

AB 1149, however, expands this disclosure requirement to apply to a breach of computerized data that is owned, licensed, or maintained by  any county, city, school district, municipal corporation, special district or other local public agency. Further, SB 46 expands the scope of personal information subject to security breach disclosure requirements to include a user name or e-mail address, in combination with a password or security question and answer that permits access to an online account. Both laws take effect on Jan. 1. 

Local public agencies will now need to establish a protocol in order to timely respond in the event of a data breach. In addition, local public agencies will likely need to file a test claim with the Commission on State Mandates (Commission) to determine whether the mandatory notification requirements constitute state-reimbursable mandates. If the Commission determines parts or all of the notification requirements are state mandates, then local public agencies can apply to the Legislature for reimbursement of costs associated with notification.