California Sets 30-Day Breach Reporting Deadline
Individuals and businesses that do business in the state of California will soon be required to notify individuals affected by a data breach within 30 days of the discovery of the breach, and the state attorney general must be notified within 15 calendar days. State Governor Gavin Newsom added his signature to SB 446 earlier this month, with the new data breach reporting requirements taking effect on January 1, 2026.
Previously, data breach notification law in California required notifications to be issued without unreasonable delay, with no maximum timeframe stipulated for when the notifications should be issued. The new law will ensure that individuals affected by a data breach will receive prompt notification, allowing them to take timely action to protect themselves against identity theft and fraud.
There is, however, some flexibility in the new law. Data breach notifications must be issued in the most expedient time possible and without unreasonable delay, and while a 30-day limit is stipulated, the new law does allow for delays to notifications at the request of law enforcement and also to allow for any measures to be taken to determine the scope of the breach and restore the reasonable integrity of the data system.
The new law requires data breach notices to be written in plain language, they must be titled “Notice of Data Breach,” and they should follow a standard format, with the information presented under the following headings:
- What Happened?
- What Information Was Involved?
- What We Are Doing
- What You Can Do
- For More Information
There are also minimum content requirements. Data breach notices must include contact information for the individual or entity reporting the breach, the types of information reasonably believed to have been compromised, and contact information for the major credit reporting agencies if the breach involved Social Security numbers, driver’s license numbers, or California identification card numbers. If known at the time of issuing the notifications, notices should state the date of the breach, the estimated date of the breach, or the date range in which the breach occurred. Notices should also include a general description of the breach incident.
If the individual or business reporting the breach was the source of the breach, and the breach involved certain sensitive types of data, then complimentary identity theft prevention and mitigation services should be offered for a minimum of 12 months. Data types requiring those services to be offered are: Social Security number, driver’s license number, California identification card number, tax identification number, passport number, military identification number, or any other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
Entities that fully comply with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule will be deemed to be compliant with the breach notice requirements of SB 446; however, HIPAA-regulated entities are not exempted from other requirements of SB 446. HIPAA-regulated entities should therefore ensure that they thoroughly check those requirements and update their policies and procedures ahead of the compliance deadline.
