Data breaches: customer notification.
- Requires businesses to notify California residents of data breaches within 30 days of discovery.
- Mandates notification to the Attorney General within 15 days when breaches affect over 500 residents.
- Establishes specific format requirements for data breach notices including plain language and clear headings.
- Requires free identity theft prevention services for 12 months if social security or license numbers are exposed.
Senator Hurtado's data breach notification measure establishes specific timelines for California businesses to inform consumers and state officials when personal information is compromised. The legislation requires companies to notify affected California residents within 30 calendar days of discovering a data breach, though delays are permitted to accommodate law enforcement investigations or to determine the scope of the breach.
For incidents affecting more than 500 California residents, businesses must submit a redacted sample of their breach notification to the Attorney General within 15 calendar days of informing consumers. The notifications must follow a standardized format with clear headings addressing what happened, what information was involved, and what actions are being taken in response. These notices must use plain language, maintain minimum text sizes, and include contact information for credit reporting agencies if sensitive identifiers like Social Security numbers were exposed.
The measure preserves existing provisions allowing alternative notification methods when standard contact proves impractical or cost-prohibitive. Healthcare entities that comply with federal breach notification requirements under HIPAA are deemed to meet certain state notice obligations, though they remain subject to the new timeline requirements and other provisions of the law. The legislation maintains current definitions of personal information and security breaches while adding specific protocols for incidents involving online account credentials.
 Melissa HurtadoD Senator | Bill Author |  Not Contacted |
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 74 | 0 | 5 | 79 | PASS |
- Requires businesses to notify California residents of data breaches within 30 days of discovery.
- Mandates notification to the Attorney General within 15 days when breaches affect over 500 residents.
- Establishes specific format requirements for data breach notices including plain language and clear headings.
- Requires free identity theft prevention services for 12 months if social security or license numbers are exposed.
Email the authors or create an email template to send to all relevant legislators.
Introduced By
Senator Hurtado's data breach notification measure establishes specific timelines for California businesses to inform consumers and state officials when personal information is compromised. The legislation requires companies to notify affected California residents within 30 calendar days of discovering a data breach, though delays are permitted to accommodate law enforcement investigations or to determine the scope of the breach.
For incidents affecting more than 500 California residents, businesses must submit a redacted sample of their breach notification to the Attorney General within 15 calendar days of informing consumers. The notifications must follow a standardized format with clear headings addressing what happened, what information was involved, and what actions are being taken in response. These notices must use plain language, maintain minimum text sizes, and include contact information for credit reporting agencies if sensitive identifiers like Social Security numbers were exposed.
The measure preserves existing provisions allowing alternative notification methods when standard contact proves impractical or cost-prohibitive. Healthcare entities that comply with federal breach notification requirements under HIPAA are deemed to meet certain state notice obligations, though they remain subject to the new timeline requirements and other provisions of the law. The legislation maintains current definitions of personal information and security breaches while adding specific protocols for incidents involving online account credentials.
Latest Voting History
| Ayes | Noes | NVR | Total | Result |
|---|---|---|---|---|
| 74 | 0 | 5 | 79 | PASS |
Melissa HurtadoD Senator | Bill Author | Not Contacted |