Data breaches: customer notification.
- Requires businesses to notify California residents of data breaches within 30 days of discovery.
- Mandates notification to the Attorney General within 15 days if a breach affects over 500 residents.
- Allows delayed notification only for law enforcement needs or to determine breach scope.
- Requires standardized breach notices with specific headings and plain language for affected residents.
Senator Hurtado's data breach notification measure establishes specific timelines for California businesses to inform residents and state officials when personal information is compromised. The legislation modifies existing state law by requiring companies to notify affected individuals within 30 calendar days of discovering a data breach, replacing the current requirement of notification "in the most expedient time possible."
The bill creates a new 15-day deadline for businesses to submit breach notifications to the California Attorney General when incidents affect more than 500 state residents. Companies may delay these notifications only to accommodate law enforcement investigations or to determine the scope of the breach and restore system security. The notification requirements apply to unauthorized access of unencrypted personal data including Social Security numbers, driver's license numbers, financial account information, medical records, and biometric data.
Under the measure, businesses must provide detailed breach notifications that include the types of information exposed, timing of the incident, and steps taken in response. Companies that experience breaches involving Social Security numbers or driver's license data must offer affected individuals at least 12 months of free identity theft prevention services. The bill maintains existing provisions allowing alternative notification methods when standard notice would exceed $250,000 or affect more than 500,000 people.
 Anna CaballeroD Senator | Committee Member |  Not Contacted | |
 Tim GraysonD Senator | Committee Member | Not Contacted | |
 Melissa HurtadoD Senator | Bill Author | Not Contacted | |
 Megan DahleR Senator | Committee Member | Not Contacted | |
 Kelly SeyartoR Senator | Committee Member | Not Contacted |
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 12 | 0 | 1 | 13 | PASS |
- Requires businesses to notify California residents of data breaches within 30 days of discovery.
- Mandates notification to the Attorney General within 15 days if a breach affects over 500 residents.
- Allows delayed notification only for law enforcement needs or to determine breach scope.
- Requires standardized breach notices with specific headings and plain language for affected residents.
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Senator Hurtado's data breach notification measure establishes specific timelines for California businesses to inform residents and state officials when personal information is compromised. The legislation modifies existing state law by requiring companies to notify affected individuals within 30 calendar days of discovering a data breach, replacing the current requirement of notification "in the most expedient time possible."
The bill creates a new 15-day deadline for businesses to submit breach notifications to the California Attorney General when incidents affect more than 500 state residents. Companies may delay these notifications only to accommodate law enforcement investigations or to determine the scope of the breach and restore system security. The notification requirements apply to unauthorized access of unencrypted personal data including Social Security numbers, driver's license numbers, financial account information, medical records, and biometric data.
Under the measure, businesses must provide detailed breach notifications that include the types of information exposed, timing of the incident, and steps taken in response. Companies that experience breaches involving Social Security numbers or driver's license data must offer affected individuals at least 12 months of free identity theft prevention services. The bill maintains existing provisions allowing alternative notification methods when standard notice would exceed $250,000 or affect more than 500,000 people.
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 12 | 0 | 1 | 13 | PASS |
Anna CaballeroD Senator | Committee Member | Not Contacted | |
Tim GraysonD Senator | Committee Member | Not Contacted | |
Melissa HurtadoD Senator | Bill Author | Not Contacted | |
Megan DahleR Senator | Committee Member | Not Contacted | |
Kelly SeyartoR Senator | Committee Member | Not Contacted |