Update on California’s Data Breach Notification Law featured image

Update on California’s Data Breach Notification Law

by John DiGiacomo

Partner

Internet Law

Most States and the federal government mandate that personal and confidential consumer data must be securely protected by the companies that collect or use such data. However, despite that requirement, there are thousands of data breaches that occur every year in nearly every industry. Thus, in addition to mandating cybersecurity, many States have enacted breach notification laws. In very broad terms, the breach notification statutes cover the following issues:

  • Who must be notified? — such as: law enforcement, regulators and consumers whose private information may have been accessed
  • What events will trigger a duty to notify? — an attempt to exfiltrate data will not generally trigger an obligation to notify
  • What is the timing of the notice?
  • Are automatic remedies required — such as purchasing monthly credit reports for affected consumers?

In this article, we will briefly summarize California’s data breach notification laws which were first enacted in 2002.

Security and/or Data Breach

Under current California laws and regulations, the definition of a security and/or data breach depends partly on whether the data is encrypted. If the data is encrypted, then notice obligations are only triggered if there is reason to believe that the data itself was compromised. This means that the encryption key must also have been stolen or that facts suggest that the encryption can be broken. If the data was unencrypted, then, generally, a breach notification must be sent.

When Must the Notice be Sent?

There is no exact deadline under California laws. The general rule is that breach notifications must be sent “in the most expedient time possible and without unreasonable delay.” Typically, this standard allows for internal investigations and for contact with and response from law enforcement. Breach notification timing may also be impacted by the need to restore the integrity of the data system.

To Whom Must Notifications be Sent? 

In general, notifications must be sent as follows:

  • To consumers whose data was accessed/stolen
  • The California Attorney General (if data was compromised for more than 500 California residents)
  • The owners of the data if the target of the hack/unauthorized access was not the owner or licensee of the data

Note that there is no requirement that law enforcement officials be notified. However, data breaches are criminal in nature and law enforcement officials are usually contacted for purposes of reporting and investigating the criminal behavior.

What Must the Breach Notification Say?

California’s data breach notification law is aimed at protecting consumers. Thus, California statutes require that a breach notification be written in easily understood words and must be titled “Notice of Data Breach.” In addition, a lot of specific information must be provided which can be summarized as follows:

  • Company and contact information suffering the data breach
  • A full list of the data compromised or thought to be compromised
  • Date or dates of the data breaches
  • Description of what happened — how the data breach occurred
  • Whether law enforcement officials were contacted and whether that investigation delayed notification
  • Information about checking major credit reporting agencies
  • An offer to provide identity theft prevention services

Contact Revision Legal For more information or if you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data breach and data security lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474. We are lawyers specializing in internet law.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case