This bill would require all companies with a written contract with cities and counties and all companies provided access to city and county facilities or data systems without a written contract to comply with a statutorily defined external data privacy program. This program would require these companies to: Alert the local government in the event of of a data breach; Perform quarterly scans of their employees' names, email addresses, personal phone numbers and dates of birth against 350 known data brokers or people search websites and, using a major internet search, determine what information is easily obtainable for each employee; Maintain a report of all information discovered in the quarterly scans and use this information when conducting an annual privacy risk assessment; Keep the reports for a minimum of three years and provide the reports to the local government within seven days of request in the event of a data breach; and Certify to the local government that the company conducts annual privacy training for its employees that describes how information retained by data brokers is used for cyberattacks.