Most States and the federal government mandate that personal and confidential consumer data must be securely protected by the companies that collect or use such data. However, despite that requirement, there are thousands of data breaches that occur every year in nearly every industry. Thus, in addition to mandating cybersecurity, many States have enacted breach notification laws. In very broad terms, the breach notification statutes cover the following issues:

• Who must be notified? — such as: law enforcement, regulators and consumers whose private information may have been accessed
• What events will trigger a duty to notify? — an attempt to exfiltrate data will not generally trigger an obligation to notify
• What is the timing of the notice?
• Are automatic remedies required — such as purchasing monthly credit reports for affected consumers?

In this article, we will briefly summarize California’s data breach notification laws which were first enacted in 2002.

Security and/or Data Breach

Under current California laws and regulations, the definition of a security and/or data breach depends partly on whether the data is encrypted. If the data is encrypted, then notice obligations are only triggered if there is reason to believe that the data itself was compromised. This means that the encryption key must also have been stolen or that facts suggest that the encryption can be broken. If the data was unencrypted, then, generally, a breach notification must be sent.

When Must the Notice be Sent?

There is no exact deadline under California laws. The general rule is that breach notifications must be sent “in the most expedient time possible and without unreasonable delay.” Typically, this standard allows for internal investigations and for contact with and response from law enforcement. Breach notification timing may also be impacted by the need to restore the integrity of the data system.

To Whom Must Notifications be Sent? 

In general, notifications must be sent as follows:

• To consumers whose data was accessed/stolen
• The California Attorney General (if data was compromised for more than 500 California residents)
• The owners of the data if the target of the hack/unauthorized access was not the owner or licensee of the data

Note that there is no requirement that law enforcement officials be notified. However, data breaches are criminal in nature and law enforcement officials are usually contacted for purposes of reporting and investigating the criminal behavior.

What Must the Breach Notification Say?

California’s data breach notification law is aimed at protecting consumers. Thus, California statutes require that a breach notification be written in easily understood words and must be titled “Notice of Data Breach.” In addition, a lot of specific information must be provided which can be summarized as follows:

• Company and contact information suffering the data breach
• A full list of the data compromised or thought to be compromised
• Date or dates of the data breaches
• Description of what happened — how the data breach occurred
• Whether law enforcement officials were contacted and whether that investigation delayed notification
• Information about checking major credit reporting agencies
• An offer to provide identity theft prevention services

Contact Revision Legal For more information or if you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data breach and data security lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474. We are lawyers specializing in internet law.

What Counts as “Personal Information” Under California Law

California’s data breach notification statute, codified at California Civil Code §§ 1798.29 and 1798.82, defines “personal information” broadly. It includes an individual’s first name (or first initial) and last name combined with any of the following data elements: Social Security number; driver’s license number or California identification card number; account number or credit/debit card number in combination with any required security code or password; medical information; health insurance information; and, as of 2014, a username or email address combined with a password or security question and answer that permits access to an online account.

The 2014 amendment specifically addressed the growing problem of credential theft — the most common vector for data breaches. If your company experiences a breach that exposes login credentials, even without financial account numbers or Social Security numbers, you are still obligated to notify affected individuals under California law. This expanded definition catches many businesses off guard, particularly SaaS companies and platforms that store user login data.

Content Requirements for the Notification

California law is specific about what a breach notification must contain. Under Cal. Civ. Code § 1798.82(d), notifications must include:

• The name and contact information of the reporting business
• A list of the types of personal information that were or are reasonably believed to have been subject to the breach
• The date of the breach, or the estimated date range if exact date is unknown
• The date the notification is being sent
• Contact information for major credit reporting agencies, if Social Security or financial account information was compromised
• Toll-free numbers, addresses, and websites of the major credit reporting agencies if Social Security or financial account information was involved

Notifications must be written in plain language. California also imposes specific formatting requirements on the notice. Businesses that fail to include required elements, or that send notices in a format that obscures material information, risk regulatory action and private lawsuits.

CPRA and the Expanded Privacy Framework

The California Privacy Rights Act (CPRA), which significantly amended and expanded the California Consumer Privacy Act (CCPA), took full effect on January 1, 2023. The CPRA established the California Privacy Protection Agency (CPPA) as a new enforcement body with rulemaking and enforcement authority. While the CCPA/CPRA is primarily a privacy law — governing consumer rights to know, delete, and opt out of the sale of their personal information — it intersects critically with breach notification obligations. Businesses subject to the CCPA/CPRA that experience a breach of unencrypted personal information can face private civil actions from affected consumers for statutory damages between $100 and $750 per consumer per incident. This private right of action under Cal. Civ. Code § 1798.150 makes California data breach litigation particularly costly for companies that fail to implement reasonable security measures.

How Revision Legal Can Help After a Data Breach

Responding to a data breach is not simply a technical problem — it is a legal crisis requiring coordinated legal, communications, and IT response. At Revision Legal, our data privacy attorneys help businesses work through every stage of breach response: determining whether notification obligations are triggered, drafting legally compliant notifications, coordinating with regulators, responding to California Attorney General inquiries, and defending against consumer class action lawsuits arising from the breach. We also advise businesses proactively on data security compliance programs designed to minimize breach risk and reduce legal exposure before an incident occurs. Contact us today.