AB 1482 Explained
In early September, 2019, the California legislature passed AB 1482, which would enact a statewide rent-control law and other eviction protections for renters. AB 1482 is part of the State’s efforts to reduce the cost of housing and protect California renters who have been adversely affected by rising rents and gentrification. The law is expected to be signed by Governor Newsom before the end of October, and the law will go into effect on January 1, 2020 and expire in 2030, unless extended by lawmakers.
What does AB 1482 do?
As currently contemplated, AB 1482 will institute state-wide rent control where landlords will be restricted from raising rents by more than 5 percent per year plus the local rate of inflation, with 10 percent being the maximum amount of the increase.
In addition to the rent control provisions, AB 1482 will also require that landlords show “just cause,” such as a failure to pay rent or some other default under the lease, before evicting tenants from a unit that such tenant has resided in for over one year. Moreover, landlords must provide the tenant an opportunity to “cure” the missed payment or default. If a landlord wants to evict a tenant without the aforementioned “just cause,” such as to convert a rental property to condominiums or make other renovations, the landlord will have to pay the evicted tenant a relocation assistance of one month’s rent.
AB 1482 only applies to units that are (i) not already covered by a rent control ordinance, and (ii) greater than 15 years old, which will get adjusted with every passing year (eg: units built in 2006 would be covered in 2021, units built in 2007 would be covered in 2022, and so on). For example, in a city like Los Angeles where the local rent control ordinance only applies to buildings constructed before 1978, as of January 1, 2020, rental units built from 1978 to 2005 would be covered by AB 1482. Moreover, single family home rentals are exempt unless such rentals are owned by an institutional investor.
How will AB 1482 affect the housing market?
According to a study by UC Berkeley’s Terner Center for Housing Innovation, which studied 10 communities throughout the state – Chula Vista, Fresno, Long Beach, Los Angeles, Oakland, San Francisco, San Rafael, Stockton, Vallejo, and West Sacramento – found that a majority of the rent increases over the last several years would have been permitted under AB 1482. However, the study did note several communities, such as Fruitvale/West Oakland, the Mission in San Francisco, and Boyle Heights in Los Angeles, that had exorbitant rent hikes over the period studied. Existing tenants in those areas would have been substantially benefited by the law, with an estimated 32 percent of the units in such areas being covered by the law.
Economists generally view rent control laws as having a detrimental affect on the cost of housing over the long term. While California suffers from an acute shortage of housing, there is little evidence that rent control laws actually increase the supply or affordability of housing. In fact, the opposite may be true – rent control laws deter the supply of new housing as the construction for new homes becomes less profitable. Moreover, landlords are often discouraged from investing in their existing properties as they see less return on their investment, and renters stay put as the disparity between their controlled rent and the market increases over time. These factors create distortions in the housing market.
While economists point to the construction of new units as the primary solution to the shortage of housing in California, such construction is unlikely to happen fast enough to address the current crisis in the State. Accordingly, as recognized by the Berkeley Haas Institute for a Fair and Inclusive Society, rent control is the only way for government to enact immediate solutions to respond to the housing crisis.
By Wesley King
Associate at Frandzel Robins Bloom & Csato, L.C.
Gone are the days of “basic security.” What used to be optional is now standard: two factor authentication, complex passwords, clean desk policies, data encryption at rest and in transit, mobile device management and up-to-the-minute patching. Clients expect these items to already be in place and are further expanding their expectations. They expect sophisticated and secure systems to keep their information safe. This obviously makes your IT professional’s job much harder. Additionally, attorneys expect instant performance and near 100% up time.
Achieving the delicate balance between accessibility and security is a challenge. Meanwhile, clients continue focusing attention on documentation, planning and training. The frequency of client-initiated audits has increased dramatically over the last five years. In 2013, Frandzel received its first audit; it was one page long and consisted of seven questions. In 2018, the firm received five audits. All were greater than one hundred pages in length. The longest one included over seven hundred questions. All of the inquiries seek documented information security policies, incident response plans and business continuity plans. Vulnerability scans of networks are required on a monthly basis, with classification and inventory controls put in place immediately. Clients seek annual security awareness and phishing defense training for all staff. The most consistent change is a requirement that the firm conduct substantial employee background checks for every new hire.
Information Security Policies
Developing one security policy for all clients is far simpler than answering every question individually. This practice also provides the firm and its third party vendors with guidelines to adhere to. These policies become a firm’s bible to follow with regards to information technology security. They include general information on security management standards, classification and controls, information users, guidelines for personnel and physical
a. Information Security Policies – These identify (1) the firm’s Information Security Manager (“ISM”), the person responsible for your information technology, (2) how to manage sensitive information and (3) who can access what in your firm.
b. Classification and Control – This describes the fundamentals of information security, including a description of the information you maintain and how is it classified (i.e., private, sensitive, restricted or confidential).
c. Information Users – In most cases, the human factor is a firm’s greatest risk. Password standards, workstation security and automatic screen protection, end of day log off requirements, unusual behavior detection, mobile device protection, good judgment policy and most importantly, training all come into play.
d. Physical Security – Having physical controls in place helps staff follow standards with regards to securing visitors and physical rooms. Educating staff regarding visitor policies, such as keeping a log with the visitor’s name, date, purpose of visit and physically keeping all server rooms locked, also aid in security. These are standard requirements and commonly considered basic controls today.
Incident Response Plan
This documents your organization’s formal response plan in preparation for a breach.
Requirements in this area vary widely. Clients frequently dictate policy inclusions such as
maximum notification times, specific contacts, and general best practices. Regardless of whether
client requirements exist, general best practices include developing these procedures today. It is
common for these policies to include some or all of the following:
a. Names of your incident response team and key clients and the numbers you need
to call if an incident occurs;
b. The name of your key resources needed to maintain or resume operations;
c. Procedures for various incidents;
d. Inventory of all hardware;
e. Inventory of all software;
f. Inventory of connectivity vendors;
g. Inventory of critical IT documents;
h. Location of data;
i. Location of passwords; and
j. Inventory of vital business records.
Business Continuity Plans
A growing best practice is to combine both business continuity and incident response plans into a single document. They are of equal importance and tend to contain similar information. Whether it’s a breach, fire, earthquake, etc., you will need to follow documented plans of action equally. The primary focus is to ensure operability of technology resources without interruption to minimize loss of revenue. Properly documented and tested plans will enable your firm to remain standing.
Our firm has been executing vulnerability scans for several years. After executing the initial scan we realized how critically important these scans were. Numerous open ports, default passwords, and service accounts that historically didn’t matter provided opportunities for access, hacking, and even email relays. Once the openings were identified, we realized what was open, the process of making refinements was effective and permanent. Future scans identified minimal vulnerabilities and risks, which were created due to modifications and improvements in the environment. As our system continues to mature, security risks diminish and confidence both internally and with the firm’s clients improved.
Classification and Inventory Controls
What do you have, where is it located and how is it classified? Prior to inventorying documents, one must understand what is in one’s possession. Some of our firm’s clients are classifying documents when they send them to us with designations such as Restricted, Confidential, Internal and Public. Because of client turnover, mergers, etc., clients are inquiring more frequently as to what client data is contained within our system. Developing a reference of contents that identifies contents will ease in your ability to respond. Collaborating with information technology professionals, managing attorneys, and internal practice groups will help accelerate this process. Clients are increasing the frequency with which they are making these requests; getting in front of them early will help your firm prepare for the inevitable.
Security Awareness Training
Security Awareness Training seems the most basic of items, but is one of the most difficult to adhere to. End users frequently believe that “it won’t happen to me”, “I’m tech savvy”, or “I can spot a scam a mile away”. This risk involves human awareness and training, and it likely provides the most risk and vulnerability within your firm’s environment. Clients are well aware of publicized security breaches, and are beginning to mandate that law firms require annual security training for all staff. Best practices suggest utilizing an external party that is fully equipped, knows the industry, and is current with ongoing and increasing scams. Utilizing an expert will help maintain an interested audience for a longer period. Preventing breaches by investing in training will result in a tremendous return on investment.
Phishing Defense Training
Conducting a random click sampling via emails distributed to a firm’s end users has the potential to create the most eye opening of events. A test email is pushed out randomly after everyone has been through Security Awareness Training. The intent is not to trap or blame employees; quite the opposite, it is to be utilized as a training tool to help them naturally identify and avoid future scams. Clients have not yet begun to demand this type of training. Regardless, we are doing this in an effort to better educate and prepare our attorneys and staff.
Preparing for Ongoing Security Challenges
Client requirements for law firms around security policies, procedures, and preparation will remain steadfast. We anticipate them continuing to escalate over time. By staying on top of ongoing audit requests, performing scans, and training employees, our firm is in a strong position. We utilize our experience and investment as a marketing tool to garner new business. While some attempt has been to minimize client requirements, embracing change and protecting your firm’s information security investment is not only wise, it may even impress your clients and garner the firm more business.