AB 1337 amends Section 1798.29 of the Information Practices Act of 1977 to set detailed, mandatory requirements for California agencies that own or license computerized personal information. The bill requires agencies to notify California residents when unencrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person and extends notification obligations to encrypted data when the encryption key or security credential is also compromised or reasonably believed to be compromised.
It codifies timing caveats for law-enforcement delays and requires immediate notice to owners or licensees when an agency merely maintains, but does not own, the data.
Beyond triggers, the bill prescribes the look and content of notices (a titled “Notice of Data Breach” with specific headings and minimum type size), supplies a model form, expands the statutory definition of personal information to include unique biometric data, genetic data, and automated license plate recognition (ALPR) data, and imposes procedural steps such as submitting a sample notice to the Attorney General when a single breach affects more than 500 California residents. The net effect: tighter operational requirements and clearer legal obligations for state and local agencies and their vendors, with new compliance costs and oversight mechanics to watch for in contracts and incident response plans.
At a Glance
What It Does
Requires state and local agencies that own or license computerized personal data to notify affected California residents of breaches; encrypted data also triggers notice when the encryption key or security credential is believed compromised. The bill prescribes a standardized notice format, defines new categories of personal information, and creates filing and substitute-notice rules.
Who It Affects
State and local agencies, third‑party vendors and contractors that maintain agency data, information-security and legal teams responsible for incident response, and the Attorney General’s Office and Office of Information Security which receive sample notices and press alerts for large incidents.
Why It Matters
The measure narrows ambiguity about when and how agencies must inform Californians, creates a single standardized notice model for easier consumer comprehension, and shifts practical risk (and costs) to public entities and their service providers — altering procurement, key-management practices, and breach-response playbooks.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1337 builds a practical checklist into California’s public-sector breach law. It starts by clarifying the trigger for notice: agencies must notify any California resident when unencrypted personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
Crucially, the bill adds a parallel trigger for encrypted data: if an agency reasonably believes both that encrypted personal information was acquired and that the encryption key or security credential was also acquired (or could render the data usable), the agency must treat the event like any other breach and notify affected residents.
The bill splits duties depending on ownership: agencies that own or license data must notify residents directly; agencies that only maintain data for a third party must notify the owner or licensee immediately after discovering a breach. Notifications must be made “in the most expedient time possible and without unreasonable delay,” but an investigating law enforcement agency may temporarily delay notice if disclosure would impede a criminal investigation.
Notice must follow a mandated plain-language structure and may be provided in writing, electronically (if compliant with federal electronic-signature law), or by substitute notice in specified circumstances.On form and content, AB 1337 prescribes a titled “Notice of Data Breach” with the headings “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The law requires minimum content items — including the reporting agency’s contact information, types of compromised data, breach dates or date ranges when available, and whether law enforcement delayed notification — and it supplies a model notice agencies can use. For breaches exposing Social Security numbers or driver’s license/California ID numbers, notices must also include toll‑free numbers and addresses for the major credit reporting agencies.
The bill also sets formatting expectations (conspicuous headings and a minimum 10‑point font) to promote clarity.AB 1337 expands what “personal information” means for agencies: besides name paired with Social Security, driver’s license, account or payment data, or medical and health insurance information, the statute now lists unique biometric identifiers, ALPR data, and genetic data. It separately recognizes login credentials (username/email plus password or security question/answer) as covered when they permit access to online accounts.
The statute allows substitute notice when direct notice would cost more than $250,000, would require notifying more than 500,000 people, or when sufficient contact information is unavailable; substitute notice requires email (when available), prominent website posting for at least 30 days, and notification to statewide media and the state Office of Information Security.The bill includes operational guardrails for specific scenarios: when the breach concerns only online-account login credentials (and no other listed personal information), an agency may comply by directing users to change passwords and security questions; if the breached credentials are for an agency‑provided email account, the agency must not send the notice to that same compromised address and must instead use another method or show a clear on‑screen notice when the resident accesses the account from a familiar IP/location. Agencies that already maintain consistent internal notice policies remain in compliance so long as their timing matches the statute.
Finally, the measure defines key terms (including “encrypted,” “encryption key,” and “genetic data”) and specifically brings the State Bar within these notification rules.
The Five Things You Need to Know
The bill requires notification when encrypted personal information is acquired and the agency reasonably believes the encryption key or security credential was also acquired and could render the data readable.
A breach notice must use the model headings, be titled “Notice of Data Breach,” include specified items (reporting agency contact, types of data exposed, breach date or range, law‑enforcement delay status) and, if SSNs or driver’s license/ID numbers were exposed, provide toll‑free numbers for major credit reporting agencies.
If a single breach affects more than 500 California residents, the agency must electronically submit a sample copy of the notice (with no PII) to the Attorney General.
Substitute notice is allowed only when direct notice would cost over $250,000, affect more than 500,000 people, or the agency lacks sufficient contact information; substitute notice must include email when available, a prominent 30‑day website posting, and notification to statewide media and the Office of Information Security.
When an agency’s email system credentials are the breached item, the agency may not send the notice to that same compromised email address and must use an alternative delivery method or on‑screen notification when the resident accesses the account from a known location.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Who must notify and when (owners, licensees, and custodians)
Subdivision (a) makes the basic duty explicit: any agency that owns or licenses computerized data with personal information must disclose security breaches to affected California residents under the statute’s triggers. Subdivision (b) covers third‑party custodians: if an agency merely maintains data (but does not own it), the agency must notify the owner or licensee immediately after discovery. Practically, this creates a time‑sensitive handoff obligation for vendors and service providers and requires contracts to clarify who detects and executes notification.
Law‑enforcement delay
This provision preserves a narrow exemption for ongoing criminal investigations: a law‑enforcement agency may temporarily delay notification if disclosure would impede the probe. The statute requires that notice occur once law enforcement determines notification will not compromise the investigation. Implementation will require clear communication protocols between public agencies and investigating authorities to avoid unnecessary delays or disputes about when notice should be sent.
Required notice content and presentation
Subdivision (d) prescribes the exact structure of the consumer notice: plain language, a title of “Notice of Data Breach,” five fixed headings, and a minimum 10‑point type size. It also includes a model form and deems use of the model or the required headings with the enumerated information compliant. The practical consequence is a quasi‑regulatory template agencies must follow — creative language is less important than including the mandated items and meeting conspicuity and font requirements, which can affect web and print templates used during an incident.
Attorney General filing and substitute‑notice thresholds
If a breach affects more than 500 California residents, the agency must electronically file a sample copy of the notice (with PII removed) with the Attorney General. Substitute notice is allowed only when the cost to provide direct notice exceeds $250,000, more than 500,000 people are affected, or the agency lacks sufficient contact information. Substitute notice must include email where available, at least 30 days of conspicuous posting on the agency’s website, and notification to statewide media and the Office of Information Security — a three‑track alternative that still requires public disclosure when mass notification by traditional means is impracticable.
Definitions and scope of personal information
These subdivisions define key terms: “breach of the security of the system,” the excluded good‑faith employee acquisition, and a detailed, updated list of what constitutes “personal information.” The statute now lists biometric data, automated license plate recognition data, and genetic data explicitly, plus the usual identifiers like SSNs, driver’s license numbers, financial account credentials, medical and health insurance information, and online login credentials. It also defines “encrypted” and explains that an “encryption key” or “security credential” is the confidential process that renders data usable — language that is central to when encrypted data triggers a notification.
Special delivery rules, electronic notice exceptions, and State Bar
The bill allows electronic notice consistent with federal E‑Sign rules and creates tailored rules for online account credential breaches: where only login credentials are involved, agencies may satisfy notice by directing users to change passwords and security questions. If the breached credential is an agency‑provided email account, the agency may not email the compromised address and must use another method or provide clear on‑screen notice when the resident accesses the account from a familiar IP. Subdivision (j) lets agencies complying with internal notification policies stand down if those policies meet the statute’s timing. Subdivision (l) explicitly requires the State Bar to comply with the section’s notification duties.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California residents whose data is exposed — they get standardized, plain‑language notices with specific actionable items (dates, types of data, and credit‑reporting contact information) to help respond promptly to identity theft risks.
- Individuals whose sensitive identifiers (biometrics, genetic data, ALPR data) are compromised — the statute explicitly recognizes these data types so agencies cannot rely on older, narrower definitions to avoid notice obligations.
- Attorney General and Office of Information Security — receive sample notices and media alerts for large incidents, improving statewide situational awareness and enabling centralized oversight or guidance.
- Agencies with mature incident‑response programs — those that already meet or exceed the statute’s timing and content requirements benefit from clear compliance safe harbors (use of the model notice and recognition of internal policies that align with timing requirements).
Who Bears the Cost
- State and local agencies — must absorb the operational costs of drafting standardized notices, implementing conspicuity and font requirements across channels, and coordinating immediate notifications to owners/licensors or residents.
- Third‑party vendors and contractors that store or process agency data — face contractual pressure to detect key compromise, notify owners promptly, and potentially revise indemnities and SLAs to allocate the new operational and legal risk.
- IT and security teams — must strengthen key‑management, logging, and detection capabilities to establish the “reasonable belief” that a key or credential was compromised, which may require new tooling and forensic capacity.
- Attorney General’s Office and Office of Information Security — will incur workload increases from reviewing sample notices and handling substitute‑notice reporting and media notifications for large incidents.
- Small or resource‑constrained agencies — even with substitute‑notice allowances, these entities may lack the contact databases, forensic resources, or communication channels required to meet the statute’s procedural standards.
Key Issues
The Core Tension
The bill resolves one central dilemma — ensuring timely, useful notice to individuals — but creates a countervailing problem: the more aggressively agencies must notify (especially when encryption keys are suspected compromised), the higher the administrative and financial burden, the greater the chance of over‑notification, and the risk of degrading trust if notices are frequent or imprecise; the law forces a trade‑off between urgent consumer protection and manageable, defensible incident response for public entities.
AB 1337 tightens legal obligations in a way that brings operational and interpretive friction. The statute’s key ambiguity is the “reasonable belief” standard that triggers notice for both acquisition of data and for acquisition of encryption keys or security credentials.
That phrase gives agencies discretion to act early — reducing consumer harm — but also creates exposure to claims of premature or unnecessary notification if an agency misapplies the reasonableness standard. For encrypted data, treating a key compromise as a notice trigger encourages better key management and key‑separation practices, but it can also produce a surge of notifications following partial or ambiguous intrusions, increasing remediation cost and consumer fatigue.
The substitute‑notice and mass‑notification mechanics balance cost with public awareness, yet substitute notice is a blunt instrument. Requiring a 30‑day website posting and media notice when direct contact isn’t feasible preserves transparency but leaves a gap for individuals who do not monitor agency websites or media outlets.
The requirement to submit a sample notice to the Attorney General improves statewide tracking but raises practical questions about the AG’s capacity to review and whether those filings will prompt follow‑up enforcement or guidance. Finally, the ban on emailing a breached agency‑provided account is sensible for security, but it shifts agencies toward alternative delivery techniques that require reliable authentication or access to upstream contact data (phone, postal addresses), which many smaller entities lack.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.