For businesses operating in California, the rules of the game are changing once again, this time concerning data security breaches of employee or consumer information. California’s new Senate Bill 446, which becomes effective on January 1, 2026, replaces a former flexible standard with a hard deadline that demands immediate attention from every employer that handles the personal information of California residents, including employee data. This change shifts the regulatory landscape from one based on “unreasonable delay” to one based on a fixed calendar deadline.

Specifically, SB 446 establishes a 30-calendar-day mandate for employers to notify affected California residents of a data breach. Previously, California law required disclosure “in the most expedient time possible and without unreasonable delay.” That phrase offered room for the complexities of a thorough investigation to unfold. SB 446 deletes that language in favor of a requirement that disclosure be made within 30 days of the discovery of the breach or notification of the breach. The written notification itself must be comprehensive, clearly and accurately describing the nature of the breach, including the specific types of personal information compromised, such as names, Social Security numbers, or financial account details.  The notice must also include a statement of the measures taken or planned by the business to address the breach and prevent future harm, and provide contact information for the business, alongside a suggestion that the affected resident review any accompanying identity theft prevention or mitigation information. While the law retains a narrow exception for delaying notice at the request of law enforcement or when absolutely necessary to determine the scope and restore the reasonable integrity of the system, the regulatory expectation is now clear: businesses should be able to move from initial discovery to notification of all affected individuals in under a month.

This new 30-day clock is accompanied by a second, equally important timeline. If a breach affects more than 500 California residents, employers must notify the California Attorney General. SB 446 introduces a specific deadline for this regulatory reporting: a sample copy of the breach notification must be submitted electronically to the Attorney General within 15 calendar days after the individual resident notifications have been sent. This subsequent requirement means the report to the state must be processed immediately following the public notification, demanding a seamless, coordinated compliance effort.

For employers, compliance with SB 446 requires immediate focus on forensics, legal review, and drafting notices. Businesses should audit their existing technical and procedural readiness, ensuring that all data security and IT systems are configured to enable rapid forensic analysis to quickly confirm the scope of the breach and identify the specific individuals impacted. Simultaneously, businesses should consider preparing a legally compliant notification template and a clear response protocol in the event of a data breach.

An employer that fails to adhere to SB 446 would be subject to an enforcement action by the Attorney General’s office, which may pursue substantial civil penalties and potential multi-million dollar fines, as seen in previous California breach cases. Furthermore, a failure to meet this rigid deadline may be cited as evidence of inadequate security practices, triggering the California Consumer Privacy Act's (CCPA) private right of action, which allows affected consumers to sue for damages ranging from $100 to $750 per consumer per incident.

This publication is published by the law firm of Ervin Cohen & Jessup LLP. The publication is intended to present an overview of current legal trends; no article should be construed as representing advice on specific, individual legal matters. Articles may be reprinted with permission and acknowledgment. ECJ is a registered service mark of Ervin Cohen & Jessup LLP. All rights reserved.