California β municipal breach notification
CCPA/CPRA layers consumer-privacy obligations on top of standard breach law. Public agencies are exempted from many CCPA provisions but breach-notification still applies.
Without unreasonable delay; AG copy required if >500 residents affected.
- AG submission is online and public-facing within hours of filing.
- Substitute notice allowed when notification cost exceeds $250,000 or affected residents exceed 500,000.
- Encryption safe harbor available if data was encrypted and the key was not also compromised.
What this means for a California municipality
Small and mid-sized municipalities in California sit at the intersection of federal frameworks (CIRCIA, HIPAA where EMS or public-health clinics are in scope, CJIS for police records) and the state breach-notification statute enforced by the California Attorney General. The clock starts when your team has a reasonable belief that resident PII was acquired by an unauthorized party β not when the investigation finishes.
For a town under 100,000 residents, the practical question is rarely "do we have to notify?" β it's "what's the cleanest path that satisfies California Attorney General, our cyber-insurance carrier, and our open-meeting obligations, in that order." The HackFirstAid triage walks through that decision tree; the matching playbooks include first-hour scripts that have already been screened against California's statute.
If you're a California clerk, CAO, IT director, or council member reading this during a live incident, open the free triage first. If you're reading it on a quiet Tuesday, it's also a tabletop exercise β most municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.