The California data breach notification law requires any business or agency that owns or licenses computerized personal information to notify affected California residents when that data is compromised. The rule lives in two parts of the Civil Code: section 1798.29 covers state agencies, and section 1798.82 covers businesses. Both demand disclosure of a breach of unencrypted personal information "in the most expedient time possible and without unreasonable delay." In plain English: if unencrypted personal data about Californians is acquired by someone who shouldn't have it, you are legally on the hook to tell those people, and you cannot sit on it.
If you run a healthcare practice, law firm, accounting office, real estate brokerage, or construction firm in California, this statute applies to you the moment you store a single client's Social Security number, driver's license, or financial account data. Below is a working owner's guide to what the law says and what it expects of you. (This article is general information, not legal advice. For a breach affecting your business, retain a privacy attorney.)
What counts as "personal information" under the statute
The notification duty is triggered only when "personal information" is breached, and the statute defines that term narrowly. It generally means a California resident's first name or first initial plus last name in combination with one or more of the following data elements, when either the name or the data element is unencrypted or unredacted:
- Social Security number
- Driver's license number or California identification card number
- Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the financial account
- Medical information (a person's medical history, condition, or treatment)
- Health insurance information (policy or subscriber numbers, application or claims history)
- Unique biometric data such as a fingerprint, retina scan, or other unique physical representation used to authenticate identity
- Information collected through an automated license plate recognition system
- Genetic data
Separately, the law treats a username or email address combined with a password or security question answer that would permit access to an online account as covered information on its own. The full element list and current language are published by California Legislative Information for Civil Code 1798.82. The practical takeaway: a name on its own is not "personal information," but pair it with any of the elements above and the notification clock can start.
Who you must notify, and when
Two audiences matter. First, you must notify the affected individuals: every California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The statute does not set a fixed day count for individuals. Instead it uses the "most expedient time possible and without unreasonable delay" standard, subject only to the legitimate needs of law enforcement (which can ask you to hold notice while they investigate) and the time required to determine scope and restore reasonable integrity to the system.
Second, you must notify the California Attorney General. If a single breach requires you to notify more than 500 California residents, you are required to submit a sample copy of that notification to the Attorney General. The AG posts these submissions publicly in a searchable database, and maintains official guidance for businesses on the California Attorney General's data breach page. That public listing is one reason a breach becomes a reputational event, not just a legal one.
A note on roles: if you only maintain data that someone else owns (for example, you process records for a client), your duty is to notify the data owner immediately after discovery, and the owner handles resident notification. Most small businesses, though, are the owner, which means the full duty sits with you.
What the breach notice must contain
California does not let you send a vague "we had an incident" email. The statute prescribes the content of the notice, which must be written in plain language and titled "Notice of Data Breach." It must include, to the extent possible:
- The name and contact information of the reporting business
- A list of the types of personal information that were or are reasonably believed to have been involved
- The date, estimated date, or date range of the breach if known, and the date of the notice
- Whether notification was delayed because of a law enforcement investigation, if that is the case
- A general description of the breach incident
- The toll-free numbers and addresses of the major credit reporting agencies, if the breach exposed Social Security numbers or driver's license/ID numbers
The law also defines a standard format with headings such as "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information." If the breach involved login credentials, there are specific instructions the notice must give about changing passwords. Getting the format wrong is itself a compliance gap, so this is not a step to improvise during a crisis. We walk through the operational side of all this in our companion guide, what to do in the first 48 hours of a California data breach.
How it interacts with the CCPA/CPRA and HIPAA
The notification statute tells you when and how to disclose a breach. The California Consumer Privacy Act, as amended by the California Privacy Rights Act, adds something with sharper teeth: a private right of action. Under the CCPA, if certain categories of nonencrypted and nonredacted personal information are subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business's failure to maintain reasonable security, affected consumers can sue. The law allows statutory damages of between $100 and $750 per consumer per incident, or actual damages if greater. With even a modest client base, that math escalates quickly. The Attorney General's overview of the law sits at the California Attorney General's CCPA page.
The phrase "failure to maintain reasonable security" is the hinge. A breach alone does not automatically create CCPA liability; the exposure to private lawsuits turns on whether you had reasonable security measures in place. That is precisely why your security posture before a breach is a legal asset, not just an IT line item.
If your business handles protected health information, HIPAA's Breach Notification Rule applies on top of California law. The two regimes overlap but are not identical, and California's medical-information protections (the Confidentiality of Medical Information Act) can apply to entities HIPAA does not even reach. Healthcare and dental practices, in particular, should assume both clocks run at once. Our work with California legal firms shows the same layering for attorneys, who carry both statutory duties and professional confidentiality obligations.
Penalties and litigation risk
The risk comes from several directions at once. The Attorney General can bring enforcement actions for violations of the notification and CCPA requirements, and the California Privacy Protection Agency now has its own enforcement authority under the CPRA. On top of regulator action, the private right of action described above lets affected consumers pursue statutory damages without proving they lost a single dollar. Plaintiffs' firms watch the Attorney General's public breach database closely; a 500-plus-resident submission is effectively an advertisement that a class action may follow.
Then there are the costs the statute never mentions: forensic investigation, credit monitoring you offer affected individuals, breach counsel, the staff hours spent assembling notices, and the client trust that walks out the door. For a small healthcare or professional services firm, the indirect costs of a breach routinely dwarf any single fine. We avoid quoting specific dollar figures because every incident is different and credible numbers are scenario-specific, but the direction is never in doubt: prevention is dramatically cheaper than response.
How to be ready before a breach happens
The single most powerful provision in the statute is what it leaves out. The notification duty applies to unencrypted personal information. If the data that was accessed was encrypted, and the encryption key was not also taken, the breach generally does not trigger the individual notification requirement. Encryption is, in effect, a built-in safe harbor. Encrypting laptops, mobile devices, databases, and backups is the closest thing to a legal insurance policy California gives you, and it is table stakes for any modern managed cybersecurity program.
Beyond encryption, readiness comes down to a few disciplines:
- Know where your data lives. You cannot encrypt or protect personal information you have not inventoried. Map every system that touches client SSNs, financial accounts, and medical data.
- Maintain "reasonable security." Multi-factor authentication, patched systems, endpoint protection, access controls, and logging are the baseline a court or regulator will measure you against.
- Write an incident response plan before you need it. Pre-drafted notice templates, a contact list (counsel, forensics, AG submission portal), and a decision tree turn a 30-day scramble into a controlled process.
- Keep evidence you were secure. Documentation of your controls is what separates "we had a breach" from "we failed to maintain reasonable security" in litigation.
This is the same groundwork we build for firms across the state, from a San Francisco law practice to a Newport Beach legal team. The pattern is consistent: the businesses that handle a breach well are the ones that prepared for it on an ordinary Tuesday, long before anything went wrong.
Don't wait for a breach to read this statute carefully
The California data breach notification law rewards preparation and punishes improvisation. Encryption, reasonable security, and a written response plan are not just good IT hygiene; under California law they are the difference between a manageable incident and a regulatory and litigation crisis. If you are not certain your client data is encrypted and your team knows exactly what to do in the first hour, that uncertainty is the gap worth closing now. Book a free consultation with Cobrix Solutions and we'll review where your business stands before the law ever has to.