AB2062 rewrites California’s breach-notification language to focus on “agencies” that own, license, or maintain computerized personal information and sets detailed requirements for when and how those agencies must notify affected California residents. It adds an explicit trigger for encrypted data—notification is required when the encryption key or security credential is also compromised—and prescribes a model notice format, minimum typographic standards, and special rules for large incidents and online account credentials.
This bill matters to local and state government entities and any third parties that hold agency data because it converts a general duty to notify into a checklist of specific obligations: timing constraints consistent with law-enforcement delays, substitute-notice thresholds tied to cost or population affected, mandatory submission of sample notices to the Attorney General for incidents affecting more than 500 residents, and a carve-in of the State Bar into the statute. Compliance will require legal, IT, and communications coordination and creates new operational and reporting burdens for agencies that manage personal information.
At a Glance
What It Does
Imposes a statutory duty on agencies that own, license, or maintain computerized personal data to notify California residents when personal information is acquired by an unauthorized person, including when encrypted data is exposed and the encryption key or credential is also compromised. The bill specifies notice content, format, delivery methods, and exceptions for law-enforcement delays and employee good-faith access.
Who It Affects
State and local agencies (and their contractors) that store or process personal information, the State Bar (explicitly included), and the Attorney General’s office (which receives sample notices for larger breaches). IT, legal, and communications teams at affected public entities will be directly responsible for implementing the requirements.
Why It Matters
The measure tightens expectations around government-sector breach response and transparency, converts descriptive guidance into prescriptive obligations, and creates operational reporting lines to the Attorney General and Department of Technology. For practitioners, this changes incident-playbook priorities: confirm key compromise, follow the model notice structure, and prepare for substitute-notice conditions and AG submission.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB2062 structures breach notification around three roles: agencies that own or license data, agencies that merely maintain data on behalf of an owner, and the Attorney General as a recipient of certain reports. When an agency determines, or reasonably believes, that an unauthorized person has acquired unencrypted personal information, it must notify affected California residents without unreasonable delay—subject to short delays while law enforcement says a notification would impede an investigation.
The bill adds a distinct pathway for encrypted data: if encrypted personal information is acquired and the agency reasonably believes the encryption key or security credential was also obtained and could render the data readable, notification is required.
The bill prescribes what a notification must look like and what it must include. Agencies must use plain language, a titled notice (“Notice of Data Breach”), and five labeled sections—What Happened, What Information Was Involved, What We Are Doing, What You Can Do, and For More Information.
The text must appear in no smaller than 10-point type; a provided model form or using those headings with the required details satisfies the format requirement. The statutory minimum content list covers the reporting agency’s contact information, the kinds of personal information exposed, relevant dates (if known), whether law enforcement delayed the notice, a general description of the incident, and credit-agency contact details when Social Security numbers or California driver identification numbers were exposed.For large incidents, the bill adds two procedural steps.
First, if more than 500 California residents require notice due to a single breach, the agency must electronically submit a sample of the notice (with personal details removed) to the Attorney General. Second, substitute notice is allowed when the cost of individual notices would exceed $250,000, the affected class exceeds 500,000 people, or the agency lacks sufficient contact information; substitute notice combines email (if available), prominent website posting, and notice to statewide media and the Department of Technology’s Office of Information Security.
The statute also contains practical exceptions: an agency that already maintains notification procedures consistent with timing requirements is treated as compliant, and good-faith employee access is not a breach so long as no unauthorized further disclosure occurs. The State Bar is explicitly brought under the statute’s coverage, although other provisions of the chapter do not automatically apply to it.
The Five Things You Need to Know
Notification is required for encrypted data only if the agency reasonably believes the encryption key or security credential was also acquired and could render the data readable or usable.
The notice must use the specified headings and may rely on the bill’s model form; notice text must be no smaller than 10-point type.
If a single breach affects more than 500 California residents, the agency must electronically submit a de-identified sample of the notice to the Attorney General.
Substitute notice is permissible when individual notice costs exceed $250,000, the affected class exceeds 500,000 people, or contact information is insufficient, and substitute notice must include email (if available), conspicuous website posting for 30 days, and statewide media plus the Department of Technology’s Office of Information Security.
When the breach involves only login credentials for an online account, the agency may comply by directing the affected person to change their password and security questions; if the breached credential is an agency‑provided email account, the agency must not send notice to that same email address.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Duty to notify residents and encryption-key trigger
This section places primary notification duty on an agency that owns or licenses computerized personal data. It requires prompt disclosure to California residents if unencrypted personal information is acquired by an unauthorized person. Crucially, the provision creates a separate trigger for encrypted records: notification is required if the encrypted data were acquired and the agency reasonably believes the encryption key or security credential was also taken and could make the data usable. The timing standard is “the most expedient time possible and without unreasonable delay,” but the subsection cross‑references the law‑enforcement delay carve‑out in subdivision (c). Practically, this forces agencies to triage whether a key/credential compromise has occurred before deciding whether to notify.
Processor/maintainer duty to notify the data owner or licensee
When an agency is only a custodian or maintainer of computerized personal information it does not own, the bill requires immediate notice to the owner or licensee upon discovery if the data were, or are reasonably believed to have been, acquired by an unauthorized person. This mirrors private‑sector vendor‑to‑client notification duties and means third‑party providers handling agency data must have contractual and operational processes to escalate incidents to owners without delay.
Required notice format and minimum content
The statute builds a checklist for breach notices: plain language; the title “Notice of Data Breach”; five labeled sections (What Happened; What Information Was Involved; What We Are Doing; What You Can Do; For More Information); and a minimum font size of 10 points. The bill supplies a model form and deems its use compliant. The minimum content list includes the reporting agency’s contact information, types of personal information exposed, breach dates (if known), whether law enforcement delayed notification, a general incident description, and credit‑reporting agency contact info if Social Security or driving ID numbers were exposed. That level of prescription reduces drafting discretion but also establishes a predictable public communication standard for agencies.
Large‑incident procedures: Attorney General submission and substitute notice
For breaches requiring notice to more than 500 California residents, agencies must electronically submit a de‑identified sample notice to the Attorney General. Separately, the bill authorizes substitute notice where individual notification would cost more than $250,000, the affected group exceeds 500,000 people, or contact information is insufficient. Substitute notice must include email (when available), conspicuous website posting for at least 30 days, and notice to major statewide media plus the Department of Technology’s Office of Information Security. These provisions centralize situational awareness for the state and create a predictable path for mass notifications.
Definitions and exclusions
The statute defines “breach of the security of the system” as unauthorized acquisition that compromises security, confidentiality, or integrity and excludes good‑faith employee or agent access that does not result in further unauthorized disclosure. It spells out a two‑part definition of personal information (name plus one sensitive data element, or username/email plus password/security Q&A), enumerates covered data types (SSNs, driver’s license numbers, account numbers with access codes, medical and health‑insurance information, biometric and genetic data, automated license plate recognition data), excludes publicly available government records, and defines “encrypted” and the terms “encryption key” and “security credential.” These definitions determine incident scope and whether the encryption key trigger applies.
Special rules for login credentials and agency policy compliance
The bill allows a narrow compliance path when the breach involves only online account credentials: agencies may direct affected persons to change passwords or security questions rather than issue the full statutory notice. However, if the compromised credential is an agency‑provided email account, the agency may not send the notice to that same email address and must use another permitted delivery method or deliver a conspicuous online notice when the person connects from a recognized IP address. Finally, an agency that already has notification procedures that are consistent with the timing requirements will be treated as compliant, which creates room for agencies to rely on established incident‑response policies so long as timing and substance align with the statute.
Scope: local agencies and the State Bar
The measure clarifies that, for this section, the term “agency” includes local agencies, bringing municipal, county, and other local entities within the statute’s ambit. It also specifically requires the State Bar of California to comply with the section while preserving that other provisions of the chapter do not automatically apply to the Bar. These inclusions expand the statute’s reach into traditionally autonomous or quasi‑independent institutions and signal an intent to cover public and quasi‑public custodians of personal data.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California residents who are the subjects of breaches: they gain clearer, standardized notices with prescribed headings and minimum content that make it easier to assess exposure and next steps.
- Individuals impacted by encrypted‑data exposures: the encryption‑key trigger makes it more likely they’ll be informed when encryption alone no longer protects their information.
- Attorney General and Department of Technology Office of Information Security: they receive standardized sample notices for medium‑sized incidents and media notifications for large incidents, improving statewide situational awareness and coordination.
- Privacy and consumer advocates: standardized formatting and mandatory content reduce variation in public communications and make government breach disclosures easier to evaluate and compare.
Who Bears the Cost
- Local and state agencies (including the State Bar): they must staff legal, IT, and communications responses, produce notices in the specified format, and, for larger events, submit de‑identified notices to the Attorney General—creating direct operational and possibly budgetary burdens.
- Third‑party maintainers and vendors that host agency data: they must notify owners/licensees immediately on discovery, which requires contractual processes, incident escalation procedures, and possibly faster forensic work.
- Offices receiving notifications (Attorney General; Department of Technology): they will incur review and intake workload for submitted notices and public‑notification coordination without an allocated funding stream in the text.
- Communications and compliance teams at agencies: preparing notices that meet the model form, font, and heading requirements may necessitate legal review and tailored messaging, increasing consulting or internal costs.
Key Issues
The Core Tension
The bill balances the public interest in timely, standardized disclosures against operational realities and investigative needs: greater transparency and prescriptive notice requirements increase victims’ ability to respond but force agencies to make fast forensic and legal judgments (particularly about key compromise and reasonable belief), and to expend limited resources preparing standard notices and state reports—sometimes at the expense of deeper technical remediation or ongoing law‑enforcement cooperation.
The statute relies on several qualitative standards—“reasonably believed,” “could render readable or usable,” and “the most expedient time possible and without unreasonable delay”—that will generate implementation questions. Determining whether an encryption key compromise has occurred is often a forensics judgment made under time pressure; agencies must balance rushing a possibly premature notification against delaying notice while investigators confirm key exposure.
That judgment affects whether the encryption‑triggered pathway applies.
The bill’s prescriptive notice format reduces ambiguity but can be rigid in incident communications where tailored explanations matter (for example, for complex exposures involving multiple data types or ongoing remediation). The substitute‑notice thresholds ($250,000 cost or 500,000 affected) give agencies a path to mass notification, but also create discontinuities: an incident affecting 499,999 individuals requires individual notices even though it is practically indistinguishable from one affecting 500,001.
The statute also imports obligations onto resource‑constrained local entities and the State Bar without specifying funding or enforcement priorities, raising questions about compliance capacity. Finally, the interplay with other state or federal disclosure obligations, confidentiality rules, and contract terms (especially for health or law‑enforcement data) will require careful legal reconciliation in the field.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.