Existing law requires an individual or a business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California whose unencrypted personal information was compromised, as specified, and requires that disclosure to be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as specified, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
This bill would require that data breach disclosure to be made within 30 calendar days of discovery or notification of the data breach but would authorize a business to delay the disclosure to accommodate the legitimate needs of law enforcement, as specified, or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Existing law also requires an individual or business that is required to issue the security breach notification described above to more than 500 California residents as a result of a single breach of the security system to electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.
This bill would require that submission to the Attorney General to be made within 15 calendar days of discovery or notification of the security breach.

Statutes affected:
SB 446: 1798.82 CIV
02/18/25 - Introduced: 1798.82 CIV