Data breaches: customer notification.

Senator Hurtado's data breach notification legislation establishes specific timelines for California businesses to inform affected residents and state officials following security incidents. The measure amends existing law by requiring companies to notify individuals within 30 calendar days of discovering a breach that compromises personal information, while maintaining exceptions for law enforcement needs and breach scope determination.

The bill also creates a 15-day deadline for businesses to submit sample breach notifications to the Attorney General's office when incidents affect more than 500 California residents. Current law requires these submissions but does not specify timing requirements. The notification content standards remain unchanged, including requirements for plain language, standardized headings, and minimum text sizes.

The amendments apply to breaches involving various types of personal information, including Social Security numbers, financial account details, medical data, and biometric identifiers. Organizations must still follow existing protocols for notification methods, which allow written notices, electronic communications, or substitute notices based on specific criteria like the number of affected individuals or available contact information.

Covered entities under federal health privacy laws that comply with those notification requirements will continue to satisfy portions of the state mandate, though they must meet all other provisions of California law. The measure maintains current exemptions for encrypted data and good faith access by employees, focusing on unauthorized acquisitions that compromise data security.