In less than 3 months, any company doing business in California impacted by a data breach must notify individuals within 30 days of the discovery under SB 446. The 30-day deadline may be delayed to (1) accommodate the needs of law enforcement, or (2) as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
In addition, if more than 500 California residents are impacted, the business must also electronically submit a sample copy of the security breach notification to California’s Attorney General, within 15 calendars of notifying the individuals.
How is SB 446 Different from Existing Law?
Existing law requires individuals or businesses that conduct business in California to disclose a breach of the security of personal information to affected California residents. Under existing law, the notification of breach is made “in the most expedient time possible and without unreasonable delay.” Beginning in 2026, the notification must be made within 30 days of the discovery or notification of the breach, with very limited exceptions.
Likewise, a definitive timeline of 15 calendar days is established for providing the California Attorney General with the same breach notice.
Any business that is doing business with California customers or employees and becomes aware of a potential data breach should immediately consult with counsel, including the author of this article or any member of CDF Labor Law’s Privacy Practice Group.
