Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws:
- up to $3,000 per violation

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are detailed considerations when determining if a breach is reportable.
  • There are specific requirements that must be detailed in the security breach notification.
  • If the breach affects more than 500 California residents as a result of a single breach, reporting must be submitted electronically to the Attorney General.
  • The California Department of Health Services must be notified of a medical breach no later than 15 days after discovery of a breach.
  • The business or person providing notifications must offer identity theft prevention and mitigation services to each affected person at no cost for at least 12 months.
  • California law grants customers injured by violation of the law the right to institute a civil action. The business may be enjoined. These penalties apply for violation of data protection and data disposal laws too.
  • For violations involving patient medical information, the Department of Public Health may assess administrative penalties of $100 per day, to a maximum of $250,000.
  • The instructions vary for different types of breaches, such as online accounts or login credentials or email accounts.
  • A business that owns, licenses, or maintains personal information about a California resident must implement and maintain reasonable security procedures and practices to protect the personal information.
  • A business that discloses personal information about a California resident pursuant to a contract with a vendor must require by contract that the vendor implement and maintain reasonable security procedures and practices to protect the personal information.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notifications.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • Cal. Civ. Code § 1798.82, Disclose a breach of the security of the system
  • Cal. Civ. Code § 1798.81, Disposal
  • Cal. Civ. Code § 1798.81.5, Personal information about California residents protected
  • Cal. Civ. Code § 1798.83, Disclosure of personal information to third parties
  • Cal. Civ. Code § 1798.84, Enforcement and penalties
  • Cal. Health & Safety Code § 1280.15
  • California has issued a handbook for state record retention.  It can be found at:
  • Cal. Civ. Code §§ 1798.100 – 1798.199 California Consumer Privacy Act of 2018 (Effective January 1, 2020)
BAck to map