California Sets Express Disclosure Deadlines for Data Breaches
California will now require companies to notify residents of the state within 30 calendar days of a company discovering a data breach. Gov. Gavin Newsom (D) signed SB-446 on Friday after it sailed through the legislature (see 2508290005).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“The individual or business may delay this disclosure to accommodate the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system,” noted an Aug. 20 bill analysis by the Assembly Appropriations Committee.
Additionally, SB-446 by Sen. Melissa Hurtado (D) requires a disclosure about a breach to the state's attorney general within 15 calendar days of the company notifying affected consumers if more than 500 California residents are affected.
California previously had no deadlines for notifications. As the Assembly Privacy Committee noted in a June 24 bill analysis, “Current law has proven insufficient, as it only requires that notices be made ‘in the most expedient time possible and without unreasonable delay.’ This vague standard has resulted in significant delays, with some data breaches being reported to consumers and the Attorney General months -- or even years --after the breach occurred.”
“SB 446 will require companies who handle your sensitive personal information to quickly notify you when your data has been breached,” Ulisses Arzola, a California Senate legislative aide who worked on the bill, posted on LinkedIn. “This not only allows individuals to mitigate potential harm to their livelihoods but encourages companies who handle this sensitive information to update their cybersecurity systems and response plans.”
Oakland Privacy, a consumer advocacy group, supported SB-446 as it moved through the state legislature. Media Alliance Executive Director Tracy Rosenberg, who represents Oakland Privacy, emailed us Monday that the bill “removes an ambiguous timeline in [California] data breach law … and replaces it with a clear and enforceable standard so that businesses fully understand their obligations."
“Defined notification timelines prevent businesses from delaying disclosures for reputational or financial reasons and swift disclosure allows individuals to take immediate protective measures, such as freezing credit or monitoring their accounts,” added Rosenberg. “Delayed notifications increase the risk of identity theft, financial fraud, and consumer harm.”
“From a compliance standpoint,” said Jordan Fischer, a privacy attorney for businesses, “California is joining other states that have these shortened [and] express reporting timelines, making it even more important to have an effective incident response plan that is trained on every year.” In an email to Privacy Daily, Fischer added that “teams will need to be ready to move quickly and report to regulators on this shorter time frame.”
Although every state has a data breach notification law, each imposes different regulations and reporting requirements, a Privacy Rights Clearinghouse official said in a recent interview. Some say a national data breach law would help (see 2509170077).