Alert 10.16.25
Alert
Alert
10.31.25
On October 3, 2025, Governor Gavin Newsom signed into law Senate Bill No. 446, which makes important changes to the California data breach notification statute. The new law, which takes effect on January 1, 2026, mandates deadlines for data breach notification to affected individuals and the state attorney general. SB 446 passed with no votes in opposition.
In 2002, California was the first state to enact a data breach notification statute. Since then, all 50 states and four U.S. jurisdictions (District of Columbia, Puerto Rico, Guam and the Virgin Islands) enacted their own data breach notification requirements. On multiple occasions, we have assisted companies in managing and responding to data breaches for all 54 jurisdictions.
Since the original statute, California has mandated disclosure of a data breach “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, … or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Thirty other states have a comparable standard.[1]
The new law requires disclosure of a data breach “within 30 calendar days of discovery or notification of the data breach,” unless one of two exceptions apply. (Cal. Civil Code Section § 1798.82(a)(2).) California joins five other states with a 30-day notification deadline (including Colorado, Florida, Maine, New York, Washington).[2]
Under the new law, delayed notification is permitted under two exceptions: (1) “to accommodate the legitimate needs of law enforcement” or (2) as “necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” The statute recognizes that law enforcement may need to pursue an investigation without any disclosure about the data breach. Additionally, in warranted circumstances, the new law retains the same recognition and standard in place since 2003 that additional time may be needed to confirm “the scope of the breach and restore the reasonable integrity of the data system.” The new law builds on the existing statutory framework with mandatory deadlines.
Change in California Attorney General Notification
Since 2012, California law has required notification to the California Attorney General of a data breach when notification was made “to more than 500 California residents as a result of a single breach of the security system.”[3] The law did not provide a deadline for this notice.
Under the new law, disclosure of a data breach will be required to the California Attorney General “within 15 days of notifying affected consumers of the security breach” when more than 500 California residents have been notified. (Cal. Civil Code § 1798.82(f).)
State Senator Melissa Hurtado, the author of SB 446, explained that the absence of specific notification deadlines under current law means that:
affected individuals may not be informed for months—or even a year or more later—delaying their ability to take preventive measures …. By closing a critical loophole in California’s data protection laws, SB 446 upholds transparency and accountability while ensuring that residents are not left in the dark about threats to their data. Californians deserve the right to act swiftly when their personal information is compromised, and this bill provides the necessary framework to protect them.
The new statutory deadlines are intended to promote timely notification.
Model Security Breach Notification Form
California retains is unique “model security breach notification form” included in the data breach statute. (See Cal. Civil Code Section 1798.82(d).) The “plain language” notification incudes the title, “Notice of Data Breach,” with the following headings:
Other statutory details about the data breach include “the types of personal information that were or are reasonably believed to have been the subject of a breach,” “a general description of the breach incident, if that information is possible to determine at the time the notice is provided,” and whether “identity theft prevention and mitigation services” will be provided, among other matters.
Data Breach Risks and Costs
The costs of responding to a data breach remain high. According to the most recent IBM Cost of a Data Breach Report 2025, at 11, “Average breach costs in the United States reached a record USD 10.22 million, a 9% increase over last year, driven in part by higher regulatory fines and detection and escalation costs.” While this does not apply to each data breach, it shows the costs of large data breaches and that costs continue to rise.
Where a data breach may impact residents in more than one state, many investigations are conducted by more than one regulator. A recent survey of more than 220 cases and settlements, 35 enforcement letters, and 20 public investigations during 2020–2024, found that, “Over 90% of the data breach enforcement actions were brought collaboratively as Multistate efforts.” See State Attorneys General & Privacy: Enforcement Trends, 2020–2024, at 3 (Oct. 2025).
Enforcement actions based on non-compliance with data breach notification standards have resulted in substantial penalties. For example, in August the New York Department of Financial Services imposed a $2 million fine for failure to notify within 72 hours of a cybersecurity event, among other non-compliance issues. Also in August, the Massachusetts Attorney General’s Office obtained a $795,000 fine after a property management company “unlawfully delay[ed] required data breach notifications” and “fail[ed] to adequately protect the personal information.”
Enforcers also review the sufficiency and accuracy of the data breach notification. For example, last year, the California Attorney General obtained a $6.75 million fine from a software company for misleading “the public of the full impact of the data breach.”
Next Steps for Businesses
Based on the new requirements, companies can review and update their incident response plans to ensure compliance with the new timelines along with other federal and state notification deadlines. Contracts should be reviewed with third-party service providers to ensure timely cyber incident reporting. Legal guidance from experienced counsel can assist in reviewing the sufficiency and accuracy of any data breach notifications and assisting to mitigate risk in litigation and regulatory enforcement.
[1] See Alaska Stat. § 45.48.010(b); Ark. Code § 4-110-105(a)(2); D.C. Code § 28-3852; Ga. Code § 10-1-912(a); 9 Guam Code § 48.30(a); H.R.S. § 487N-2(a); Idaho Code § 28-51-105(1); 815 Ill. Comp. Stat. 530/10(a); Iowa Code §715C.2; Kan. Stat. § 50-7a02(a); KY Rev. Stat. § 365.732; Mass. Gen. Laws 93h § 4; Mich. Comp. Laws § 445.72(8); Minn. Stat. § 352E.61(1)(a); Miss. Code § 75-24-29(4); Mo. Rev. Stat. § 407.1500(2)(1); Mont. Code § 2-6-1503(1)(b); Neb. Rev. Stat. § 87-803(1)-(2); Nev. Rev. Stat. § 603A.220(1); N.J. Stat. §56:8-163(12)(a)-(b); N.C. Gen. Stat. §§ 75-65(a)-(b); N.D. Cent. Code § 51-30-02; Okla. Stat. § 24-163; P.L. 474, No. 33(3); 10 L.P.R.A. St § 4052; S.C. Code § 39-1-90(A); Va. Code § 18.2-186.6(B); V.I. Code tit. 14 § 2208(a); W. VA. Code § 46A-2A-102(a); Wyo. Stat. § 40-12-502(a).
[2] See Cal. Civ. Code § 1798.82(a)(2) (amended by SB 446); Colo. Rev. Stat. § 6-1-716(2)(a.3); Fla. Stat. § 501.171(3);10 Me. Rev. Stat. § 1348(1); N.Y. Gen. Bus. Law § 899-aa(2); Wash. Rev. Code §§ 19.255.010(7)-(8), 42.56.590(7)-(8).
[3] SB 24 (2011) (codified at Cal. Civil Code § 1798.82(f)); see also Senate Floor Analysis (Aug. 16, 2011) (“This bill requires that, any agency, person, or business that must provide a security breach notification under existing law to more than 500 California residents as a result of a single breach would be required to submit the notification electronically to the Attorney General.”).