California Data Breach Notification Law: What Small Businesses Must Do After a Breach

Ulises Paiz

Ulises Paiz, Founder of Ghosxt, has 10+ years in IT infrastructure and cybersecurity, an Active Top Secret Clearance, and 9 certifications including CySA+, Security+, and AZ-104. Before founding Ghosxt, he served as a Senior Solutions Consultant for the DoD and built security programs for 40+ Central Coast businesses. More about Ulises →

Ask a small business owner in Salinas or Monterey whether California's data breach notification law applies to them, and most assume it doesn't, on the theory that state privacy law is written for companies with legal departments and compliance teams. It isn't. California Civil Code 1798.82 was written broadly on purpose, and it applies the moment your business stores computerized personal information about a California resident, whether that's a customer list, a patient file, or an employee spreadsheet. The law doesn't ask how many people work for you.

The law applies long before most owners think it does

There's no employee-count exemption, no revenue threshold, and no carve-out for businesses that never intended to become "a data company." If you keep customer names and payment information, employee Social Security numbers for payroll, or patient records, you're covered the same way a large retailer is. What actually varies by business size isn't whether the law applies, it's how prepared a business is to respond when it has to, and that gap is exactly where small businesses get hurt: not because the rules are unfair, but because nobody read them until an incident forced the question.

What actually counts as reportable personal information

The trigger isn't any data loss, it's unauthorized acquisition of unencrypted personal information, specifically a person's first name or initial and last name combined with one or more of these:

  • A Social Security number, driver's license, state ID, or passport number.
  • A financial account, credit, or debit card number, paired with any security code or password that would allow access.
  • Medical information or health insurance information.
  • Biometric data, such as a fingerprint or retina scan used for identity verification.
  • A username or email address combined with a password or security question answer that would let someone access an account, even with no name attached.

That last category is the one small businesses miss most often. A breached customer login database, with no name required, still triggers the law if it exposes email addresses paired with passwords. If your business stores any of this, in a POS system, a booking platform, a payroll tool, or an old spreadsheet nobody's looked at in years, you're in scope.

What a compliant notice has to say, and how fast

California's standard is disclosure "in the most expedient time possible and without unreasonable delay," not a fixed day count you can circle on a calendar. That ambiguity is exactly why this decision needs a lawyer involved quickly rather than a guess made under pressure. A compliant notice generally has to include the categories of information involved, the date or date range of the breach, and contact information for the business. If Social Security, driver's license, or California ID numbers were involved, the notice must also offer affected individuals free identity theft prevention and mitigation services for a period of time. If a single breach affects more than 500 California residents, a sample of the notice also has to go to the California Attorney General's office. None of this is discretionary once the trigger is met.

The real financial risk isn't the notification, it's the lawsuit

The part that catches small businesses off guard isn't the cost of mailing letters, it's that the CCPA and its expansion under the CPRA created a private right of action specifically for data breaches caused by a failure to maintain reasonable security. That means an affected individual, or a class of them, can sue and recover statutory damages per incident without having to prove they suffered actual financial harm. A breach that would once have meant a notification letter and a credit monitoring offer can now mean litigation, and "we didn't know the law applied to us" is not a defense that holds up once you're a named defendant.

Getting ahead of this before you need it

  • Inventory what personal information you actually hold, including old systems and exports nobody remembers exist, so you know your real exposure instead of guessing during an incident.
  • Encrypt data at rest wherever it lives, on laptops, backups, and databases. Encrypted data that's never decrypted by the attacker generally falls outside the notification trigger entirely.
  • Name breach counsel in your incident response plan, not just "a lawyer," so the notification decision has an owner the moment an incident starts.
  • Check what your cyber insurance policy already includes, since most breach response coverage bundles forensics, legal counsel, and notification/credit monitoring services as part of the claim, often at no separate cost when you need them.
  • Decide your identity protection vendor in advance, so offering 12 months of coverage after a breach involving SSNs or driver's license numbers is a phone call, not a scramble.

None of this requires a compliance department. It requires knowing what data you have, encrypting what you can, and having the right phone number ready before the day you need it.

Where this fits

FAQs about California's data breach notification law

Does California's breach notification law really apply to a 5-person business?

Yes. California Civil Code 1798.82 applies to any business that owns or licenses computerized personal information about a California resident, with no exemption for employee count or revenue. A five-person shop with a customer database and a two-person law office with a client list are both covered exactly the same way a large enterprise is. Size only affects how prepared you are to respond, not whether the law applies to you.

Do we still have to notify people if the stolen data was encrypted?

Generally no, if the data was encrypted and the encryption key was not also compromised, because the law's trigger is unauthorized acquisition of unencrypted personal information. That's exactly why encrypting laptops, backups, and databases at rest is one of the highest-value, lowest-cost controls a small business can put in place. It does not just reduce risk; in a breach scenario it can be the difference between a required notification event and one that legally isn't.

What if we're not sure exactly what data was exposed?

That uncertainty is normal in the first hours of an incident, and it's exactly why forensic scoping and breach counsel come before you draft anything. Guessing wrong in either direction carries risk: under-notifying if the scope turns out to be broader than you first thought, or over-notifying and creating unnecessary alarm and cost. Your cyber insurer's incident response team typically includes forensics and breach counsel as part of the policy specifically to answer this question quickly, which is one more reason to have that policy and that phone number in place before you need either one.

This post explains how California's breach notification law generally works and is not legal advice. If you're responding to an actual incident, involve breach counsel before deciding what to send or when to send it.

Not sure what a breach would actually require you to do?

30 minutes with a DoD-cleared engineer. We'll help you inventory the personal information your business actually holds, encrypt what's exposed, and build the notification decision into an incident response plan before you ever need one.

Book your free security assessment
Call (831) 204-0501 Book free assessment