California Air Resources Board

Summary

Would have required an agency to post a notice on the agency’s website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system, as specified.

View full bill text here

Governor’s Veto Message

To the Members of the California State Assembly:

I am returning Assembly Bill 1711 without my signature. This bill requires a public agency to post a notice on its website when a person or business operating a system on behalf of that agency is required to issue a security breach notification for that system.

Current law requires both private businesses and public agencies to immediately notify individuals impacted by a data breach of the systems they operate, allowing appropriate action to mitigate or prevent financial losses due to fraudulent activity. The stated intent of this bill is to provide additional transparency with respect to data breach notifications provided in the event a contractor operating a system on behalf of an agency is breached.

Requiring public agencies to display every instance of a security breach on its website will highlight vulnerable information technology systems shortly after a breach occurs. This could substantially increase the risk of additional attacks on these systems. The author's objective could be more effectively achieved through other means, such as specifying breach notifications to individuals must come from the agency, or requiring notices from a contractor to conspicuously include the agency on behalf of which they are operating.

For these reasons, I cannot sign this bill.

Sincerely,

Gavin Newsom

View Governor’s veto message here