Report a Data Breach to San Francisco City Office

Technology and Data California 3 Minutes Read ยท published February 06, 2026 Flag of California

San Francisco, California residents, contractors, and City departments must follow official steps when a data breach affects City systems or personal information of residents. This guide summarizes who to notify, which City offices handle breaches, how state law intersects with municipal reporting, and immediate actions to contain and report incidents to the City and the California Attorney General.[1]

Penalties & Enforcement

San Francisco enforces data-security responsibilities through the Department of Technology and the City Attorney for legal or civil actions; state enforcement and civil remedies may also apply under California law.[2][1]

  • Fine amounts: not specified on the cited page.
  • Escalation: first, repeat, and continuing-offence ranges are not specified on the cited page.
  • Non-monetary sanctions: orders to remediate, injunctive relief, seizure of data, or civil actions by the City Attorney or state authorities.
  • Enforcer and complaint pathway: San Francisco Department of Technology for City systems; City Attorney for legal enforcement; the California Attorney General enforces state breach-notification law.[2]
  • Appeals and review: civil court review or administrative process as provided by the enforcing office; specific time limits are not specified on the cited page.
  • Defences and discretion: permitted disclosures, encryption or other safe-harbor measures may affect obligations; exact defences are not specified on the cited page.
City enforcement focuses on remediation and protecting residents' personal information.

Applications & Forms

There is no single uniformly published downloadable municipal "breach form" for all incidents; the Department of Technology provides reporting instructions and portals for incidents affecting City systems and data.[2] For legal notices under California law, follow the Attorney General guidance and any notice templates they publish.[1]

How to Report a Breach to San Francisco

When a breach occurs, follow containment and evidence preservation steps, then notify the City offices responsible for the affected data and communicate with state authorities as required.

  1. Contain: isolate affected systems and preserve logs and evidence.
  2. Internal report: notify your department head and the San Francisco Department of Technology via the department's incident reporting channel.[2]
  3. Legal notice: coordinate with the City Attorney for possible legal notifications and with the California Attorney General for state-level obligations.[3][1]
  4. Resident notice: prepare consumer notifications if personal information was exposed, following California guidance on required content and timing.[1]
Preserve system logs and chain of custody for any forensic investigation.

Common Violations

  • Unauthorized access to resident personal data (e.g., names plus SSNs or financial data).
  • Failure to notify affected individuals and regulators within required timeframes.
  • Poor data handling by contractors or subcontractors.
Contractors handling City data usually must report incidents to the City immediately.

FAQ

Who must report a breach to the City?
City departments, City contractors, and any entity that holds or processes City data that experiences a breach affecting City systems or resident personal information must report to the Department of Technology and the City Attorney as appropriate.[2]
How quickly must I report a breach?
Report incidents to City IT/security immediately after detection and take steps to contain damage; state law requires prompt notice to affected individuals and guidance from the California Attorney General should be followed.[2][1]
What information should the report include?
Include a description of the incident, affected systems, type and number of records exposed, containment measures taken, and contact information for the reporting party.

How-To

  1. Step 1: Immediately isolate affected systems and preserve logs.
  2. Step 2: Engage IT and incident response to contain the breach and begin forensic analysis.
  3. Step 3: Notify San Francisco Department of Technology using the department incident channel and the City Attorney for legal guidance.[2][3]
  4. Step 4: Prepare and send required notices to affected individuals and coordinate with the California Attorney General per state guidance.[1]

Key Takeaways

  • Report City-affecting breaches immediately to the Department of Technology and the City Attorney.
  • Follow California Attorney General guidance for consumer notification requirements and timing.

Help and Support / Resources

  1. [1] California Attorney General - Data breach reporting and guidance
  2. [2] San Francisco Department of Technology - incident reporting and IT security
  3. [3] San Francisco City Attorney

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data