California tightens rules on data breach notifications

On October 3, 2025, Governor Hurtado approved Senate Bill 446 (SB 446), Chapter 319, amending Section 1798.82 of the California Civil Code regarding data breach notifications.

What happened

The law requires that any individual or business conducting business in California that owns or licenses computerized data containing personal information must disclose a breach of the security of the system to affected California residents within 30 calendar days of discovering or being notified of the breach. Disclosure may be delayed only to accommodate legitimate law enforcement needs or to determine the scope of the breach and restore the integrity of the data system. 

If a breach affects more than 500 California residents, a sample copy of the notification must be submitted electronically to the California Attorney General within 15 days of notifying affected consumers. SB 446 defines the types of personal information covered and sets detailed requirements for the content and format of breach notifications, including plain-language headings such as “What Happened?” and “What You Can Do.”

What was said

The most recent bill analysis notes, “This bill adds deadlines to an existing statute that requires an individual or a business to report a breach of certain data systems to affected California residents and to the Attorney General. Specifically, this bill requires a qualifying individual or business that experiences a breach of the security of a system that includes personal information to disclose the breach within 30 days to California residents whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The individual or business may delay this disclosure to accommodate the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” 

Why it matters 

Under the bill, healthcare providers, insurers, and other entities conducting business in California must disclose breaches within 30 calendar days of discovery. The law explicitly covers medical information, health insurance information, and biometric or genetic data, all of which are central to healthcare operations and highly regulated under laws such as HIPAA. 

Compliance with SB 446 ensures that healthcare organizations provide clear, plain-language notifications to patients, describing what happened, what information was affected, and what steps individuals can take to protect themselves, including identity theft prevention services if necessary. 

Failure to comply can result in significant reputational damage, legal consequences, and financial penalties, making the bill a piece of legislation for healthcare organizations’ data security policies, breach response planning, and patient trust management. Submission of sample notifications to the California Attorney General ensures accountability and transparency in managing large-scale breaches.

What happens next 

After a data breach occurs, SB 446 sets a clear sequence of actions for affected individuals or businesses. First, the organization must promptly investigate the breach to determine whether personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 

Once the scope is understood, the organization must notify affected California residents within 30 calendar days of discovering or being notified of the breach, unless a delay is necessary to accommodate law enforcement or to restore the integrity of the data system. The notification must be written in plain language and include headings such as “What Happened?”, “What Information Was Involved?”, “What We Are Doing”, and “What You Can Do.” 

If more than 500 residents are affected, a sample copy of the notice must be submitted electronically to the California Attorney General within 15 days of notifying consumers. Notifications may include identity theft prevention services, steps to secure accounts, and contact information for reporting agencies. If the organization maintains its own compliant notification procedures under an internal information security policy, these may be used instead.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates to notify individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media if PHI is breached or compromised.

When must an organization report a breach?

Under HIPAA, a breach must be reported without unreasonable delay and no later than 60 days from the discovery of the breach. Covered entities must notify affected individuals first, then HHS. If the breach affects 500 or more individuals, HHS must be notified immediately, and a media notice is also required. For fewer than 500 individuals, HHS reporting may be done annually.

What counts as a breach under HIPAA?

A breach occurs when PHI is accessed, acquired, or disclosed in a manner not permitted under HIPAA that compromises the security or privacy of the information. Certain exceptions apply, such as unintentional access by workforce members or situations where PHI is rendered unusable, unreadable, or indecipherable through encryption.