AB 370 amends Government Code section 7922.535 to add inability to access electronic servers because of a cyberattack to the list of “unusual circumstances” that can justify extending the statutory 10‑day response deadline for public‑records requests. The bill also narrows the existing state‑of‑emergency ground for extensions by requiring the emergency to directly affect an agency’s ability to respond.
Practically, the law lets an agency delay its response only while it lacks access to the affected electronic systems and clarifies that records stored elsewhere or in nonelectronic form remain subject to the normal schedule. The bill contains legislative findings required by the California Constitution and states that no state reimbursement to local agencies is required for these changes.
At a Glance
What It Does
The bill keeps the 10‑day deadline to determine disclosability but allows a written extension, up to 14 days, when ‘unusual circumstances’ exist; it adds a cyberattack‑based inability to access electronic servers as one such circumstance and limits the state‑of‑emergency excuse to emergencies that directly impede response. Agencies must send written notice of any extension signed by the head or a designee.
Who It Affects
Local and state public agencies that maintain records electronically, including county clerks, police departments, and state departments with public‑facing records; records officers, IT and cybersecurity teams; and requesters who depend on timely access to electronic records.
Why It Matters
The change recognizes ransomware and other intrusions as a legitimate operational barrier to compliance while placing a narrower boundary around emergency‑based delays, reducing the risk that broad emergency declarations become routine cause to postpone disclosure. Compliance officers must add cyberincident workflows to CPRA procedures and document when an attack truly prevents access.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Under existing law agencies must decide within 10 days whether a records request seeks disclosable public records and tell the requester when those records will be available. AB 370 leaves that core timing intact and preserves the written‑notice requirement when an agency needs extra time.
The bill expands the statutory list of “unusual circumstances” that justify a short extension to include situations where a cyberattack prevents the agency from accessing electronic servers or systems that hold potentially responsive records. That cyberattack ground is limited: it applies only to records maintained on the affected electronic systems, it does not excuse agencies from responding when records are stored elsewhere or in paper, and it lasts only until the agency regains access and can search those systems.Separately, AB 370 tightens the state‑of‑emergency basis for an extension by adding the word “directly” — the emergency must directly impair the agency’s ability to meet the deadline (for example, through staffing shortages or facility closures where the records are kept).
The bill also preserves the carve‑out that requests for records created during and about the emergency are not eligible for a delay under that ground.Finally, the Legislature included the constitutionally required findings explaining why the new limitation on access is necessary, and the text specifies that no reimbursement to local agencies is required for costs arising from the change. For compliance teams, the result is a narrow, operationally focused exception tied to demonstrable loss of electronic access rather than a new, broad permission to delay disclosures.
The Five Things You Need to Know
An agency still must determine within 10 days whether requested records are disclosable and give an availability estimate if they are.
The head of the agency or a designee may extend that 10‑day period in writing for up to 14 additional days under “unusual circumstances.”, The bill adds a cyberattack‑based inability to access electronic servers or systems as a qualifying unusual circumstance, but only for records maintained on the affected systems.
The cyberattack extension applies only until the agency regains its ability to access and search the impacted electronic servers or systems; records located off those systems or in nonelectronic form are not covered by the cyberattack excuse.
The state‑of‑emergency ground for delay now requires the emergency to directly affect the agency’s ability to respond, and requests for records created during the emergency are excluded from that particular extension.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
10‑day initial duty and availability estimate
This subsection retains the baseline obligation: within 10 days an agency must decide whether the request seeks disclosable records and, if so, state an estimated date and time when the records will be provided. Practically, this keeps the fast‑moving cadence of CPRA responses and means agencies cannot use the new cyberattack language to evade the initial determination requirement.
Written extension mechanics and limits
Subdivision (b) preserves the procedural guardrails: any extension must be by written notice from the agency head or a designee, must set the reasons, and must give a target dispatch date. The statute continues to cap extensions at 14 days, so agencies cannot stack cyberattack or emergency extensions into an open‑ended delay; compliance officers must issue a timely, documented written notice that stays within the statutory window.
Cyberattack exception for electronic records
This new paragraph adds the cyberattack scenario: if a cyber incident prevents the agency from accessing the servers or systems that store responsive records, the agency may rely on an extension. The text narrows the scope: it does not excuse responses for records stored off the affected system or for records in paper form, and it terminates once access is restored. For IT and legal teams this means documenting which systems are impacted and when search capability resumes.
Narrower state‑of‑emergency basis for delay
The bill tightens the previously broader emergency language by requiring the declared emergency to directly affect the agency’s ability to respond — for example, a local office closure that stops access to on‑site files. It also reiterates that requests for records created during the emergency are not eligible for delay under this ground. That reduces the universe of emergencies that automatically qualify and forces agencies to link the emergency’s effects to their operational capacity.
Constitutional findings and fiscal note
These sections supply the California Constitution’s required legislative findings explaining why the limitation on access is necessary and state that no reimbursement to local agencies is required under the constitutional mandate. Agencies should note the Legislature’s explicit policy rationale, but they do not receive accompanying state funds for implementation or new cybersecurity work from this enactment.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Local and state agencies’ incident response teams — the amendment gives legal breathing room during active intrusions, reducing pressure to meet disclosure deadlines while systems are down and enabling IT to prioritize containment and recovery.
- Information‑security vendors and contractors — agencies are likely to accelerate or expand incident response contracts and forensics work to restore access and terminate the extension period more quickly.
- Records custodians and compliance officers — the statute clarifies a legitimate operational reason to document and lawfully extend a deadline, creating a predictable path to justify short delays to internal and external stakeholders.
Who Bears the Cost
- Requesters and journalists — when agencies lose server access they may face short, statutory delays in obtaining electronic records they need for time‑sensitive reporting or oversight.
- Local agencies without mature cybersecurity programs — they inherit an unfunded operational risk: the law allows delay but does not provide money to prevent or respond to incidents, potentially increasing costs for emergency recovery and documentation.
- Small jurisdictions and school districts — they must evaluate, document, and justify cyberattacks as grounds for delay and may need outside technical help to establish when access was lost and restored, producing administrative and financial burdens.
Key Issues
The Core Tension
The central dilemma is between protecting operational integrity during real cyber emergencies and preserving the public’s right to timely access: the law grants agencies breathing room to recover systems but leaves the public dependent on agencies’ internal documentation and good faith to prevent overbroad or repeated delays.
The bill creates a pragmatic shortcut for agencies under cyberattacks but leaves several operational questions unresolved. It does not define “cyberattack” or set documentary standards for proving that an incident prevented access; that omission leaves room for disputes over when the extension legitimately begins and ends.
Agencies will need policies that tie forensic evidence, down‑time logs, and incident declarations to the written extension notice to withstand scrutiny.
The law limits the cyberexception to records on affected systems, which reduces scope but requires granular mapping of where responsive records live. Many agencies lack up‑to‑date inventories of systems and records locations; absent that mapping, agencies could either overuse the extension (risking legal challenges) or underuse it (risking missed deadlines).
Finally, the statute imposes no funding or technical assistance; smaller jurisdictions face the hardest trade‑off between investing in uptime and absorbing delays that undermine public access.
Implementation will test whether the statute deters opportunistic use of ‘cyberattack’ claims or whether agencies and requesters reach predictable practices (for example, standardized incident attestations). The balance the Legislature sought—protecting recovery time while preserving transparency—depends on how tightly agencies document incidents and how courts treat evidentiary showings about access loss and restoration.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.