Non-Lawyers Summary

This post explains what companies owe people after a data breach. If a business waits too long to notify customers or regulators, it can face lawsuits, fines, and higher damages even if the hacker is the one who carried out the attack. California and New York now make that timeline much tighter.

The Day the Clock Started Running

Without warning, forty million customer records were gone.

The attackers had been inside the network for two hundred days. Two hundred days of silent movement — reading databases, copying files, testing privileges, slowly exfiltrating data through connections that looked, from the outside, like ordinary traffic. By the time a threat intelligence firm spotted the anomaly and made the call, the damage was complete. Names, passwords, credit card numbers, Social Security digits — all of it, sitting on servers halfway around the world.

The breach was over. But the company's legal nightmare had just begun.

Because in cybersecurity law, the breach is only the beginning. The moment the company's security team confirms what happened — the very second they can document that they knew — a countdown timer starts. Thirty days. Twenty-four hours. Seventy-two hours. The specific number depends on which state's residents were affected, which industry the company operates in, and which regulators have jurisdiction. Miss any of those deadlines, and the company becomes the defendant in its own disaster.

This is the world of state breach notification law. When a company gets hacked, two legal tracks run simultaneously: the criminal investigation (covered in Modules 1A and 1E) and the civil/regulatory track that the breached organization faces. State breach notification laws and private damages statutes determine how quickly companies must tell victims, what regulators get notified, and what financial exposure the company faces from consumers. For legal practitioners advising breach victims or defending companies, these statutes are the daily operational reality — and the 2026 changes to California and New York's deadlines have materially tightened the timeline.

Key Concepts

What Triggers a "Breach" — And What Doesn't

A breach notification obligation is generally triggered by unauthorized access to — or acquisition of — personal information. The definition of "personal information" varies by statute, but typically includes Social Security numbers, financial account numbers, health data, login credentials, and government ID numbers.

What does NOT trigger notification: Access to encrypted data (in most jurisdictions) where the encryption key was not also accessed; access to publicly available information. Encryption is both a technical defense and a legal defense — it is one of the few things a company can do that may eliminate a notification obligation entirely.

The "Discovery Date" Problem — The Most Litigated Fact in Breach Litigation

Every state breach notification statute runs from the moment the breach was "discovered" or the company was "notified." This single fact — when did you first know? — becomes the most litigated question in class action litigation and regulatory investigations.

Technical reality: Breaches are often discovered weeks or months after they occurred. The attacker may have had access for 200 days before being detected (industry average dwell time). The "discovery date" may be:

  • When a SIEM alert fired
  • When a third-party threat intelligence firm notified the company
  • When law enforcement contacted the company
  • When the forensics firm confirmed unauthorized access
  • When scope was fully determined

Legal reality: Courts and regulators scrutinize whether companies artificially delayed the "discovery" clock by claiming they needed more time to "determine scope." The 2026 California and New York changes explicitly address this by building in limited exceptions rather than open-ended delay. The era of indefinite investigation before notification is over.

The Litigation Pipeline — What Happens After the Press Release

Breach occurs
  → Company discovers breach (notification clock starts)
    → Company notifies AG + affected consumers
      → Consumer class action filed (statutory damages × millions of consumers)
        → Standing battle (Spokeo/TransUnion)
          → Merits: was security "reasonable"?
            → Settlement or judgment

No one mentions it in the PR statement, but the lawyers know: the moment a breach becomes public, plaintiff attorneys are scanning for it. Within weeks of public disclosure, class action suits are filed. The notification itself is the starting gun.

Statutory Framework

California Penal Code § 502 — The Law That Lets Victims Strike Back

California's primary criminal computer statute covers unauthorized access, data theft, disruption, and malware introduction. But unlike the federal CFAA — which is primarily a prosecutorial tool, wielded by the government — PC § 502 explicitly creates a civil cause of action that victims can use directly.

What it covers:

  • Unauthorized access to a computer, computer system, or network
  • Unauthorized taking/use/copying of data from a computer
  • Unauthorized use of computer services
  • Disruption or denial of computer services
  • Introduction of malware (computer contaminant)
  • Aiding and abetting the above

Criminal penalties: Structured as felony/misdemeanor/infraction depending on subsection and harm level. More serious intrusions — with significant damage, or targeting critical infrastructure — are felonies.

Civil action — key provisions:

  • Compensatory damages (including "costs of responding" — mirrors CFAA "loss")
  • Injunctive relief to prevent further access
  • Attorney's fees (in certain circumstances)
  • Punitive damages: Available where the violation was willful AND committed with malice, oppression, or fraud. That bar is high — but in the right case, it transforms the exposure from manageable to catastrophic.

California Civil Code § 1798.82 — The Thirty-Day Ultimatum

Effective January 1, 2026, the rule is clear and it is not negotiable.

Businesses and agencies that own or license computerized personal information of California residents must provide notification within 30 calendar days after the date of discovery or notification of the breach.

Delay exceptions — and they are narrow:

  1. Law-enforcement delay: Notification may be delayed if a law enforcement agency determines that notification would impede a criminal investigation — but only for as long as law enforcement requests the delay. When the FBI says go, you go.
  2. Scope/integrity needs: The statute allows time needed to determine the scope of the breach and to restore the reasonable integrity of the system. But this is not a blank check — it must occur within the 30-day window. "We're still investigating" is no longer a defense.

What notification must include:

  • Date(s) of the breach (if known)
  • Date of discovery
  • Type of information compromised
  • Steps taken to respond
  • Contact information for the business

AG submission: When a breach affects more than 500 California residents, the company must submit a sample copy of the notification to the California Attorney General. That submission becomes a public record. Plaintiff attorneys read it the same day.

Enforcement: The AG can seek injunctions and civil penalties; class actions under § 1798.150 provide the private enforcement mechanism.

California Civil Code § 1798.150 — The Class Action Mathematics of Catastrophe

What it covers: Private civil suits for consumers whose nonencrypted/nonredacted personal information is subject to unauthorized access, exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable security procedures and practices.

Damages:

  • Statutory damages: $100 to $750 per consumer per incident (or actual damages if greater)
  • Injunctive or declaratory relief
  • Any other relief the court deems proper

The "reasonable security" requirement: This is the merits question — courts and regulators evaluate whether the company's security practices were adequate for the sensitivity of the data held and industry standards. The FTC's "Start with Security" guidance and the CIS Controls are commonly referenced benchmarks. Storing passwords in plaintext is not reasonable. Having no penetration testing program is not reasonable. In discovery, the company's security posture will be exposed completely.

Pre-suit notice and cure: Before filing suit, a consumer must provide the business 30 days' written notice identifying the specific provisions of law the consumer alleges were violated. If the business cures the violations within 30 days and provides the consumer with express written statements that the violations have been cured and that no further violations will occur, no action may be initiated. This window is both a procedural hurdle for plaintiffs and a strategic opportunity for companies that move fast.

The class action math that keeps GCs awake at night:

$750 statutory damages × 50 million consumers = $37.5 billion maximum exposure.

That number explains why every major breach generates settlement pressure before a single fact is established at trial. The liability floor is so high that even a small probability of losing at summary judgment creates an intolerable risk.

New York General Business Law § 899-aa — The Eastern Flank

The 30-day rule: Notification must be made "in the most expedient time possible and without unreasonable delay" but — critically — within thirty days after the breach has been discovered or in the reasonable belief that the breach occurred.

Delay exceptions:

  • Law enforcement may request delay where notification would impede a criminal investigation
  • The statute allows time for the company to determine the scope and restore system integrity — but the 30-day outer limit bounds this

Enforcement tools:

  • New York Attorney General may seek injunction
  • Civil penalties for failure to notify: capped/statutorily structured (not unlimited)
  • Sector regulators (e.g., DFS for financial institutions) may have additional enforcement authority

Covered information: SSNs, driver's license/ID numbers, account numbers plus security codes, medical/health insurance information, biometric data, username/email plus password combinations.

New York 23 NYCRR 500 — The Financial Sector's Separate Universe

The New York Department of Financial Services doesn't wait for a breach to get interested. It imposes baseline cybersecurity requirements on covered financial institutions — banks, insurance companies, other regulated entities — before anything goes wrong. And when something does go wrong, it adds a second deadline on top of everything else.

Key obligations:

  • Written cybersecurity program
  • Risk-based cybersecurity policy
  • CISO designation
  • Penetration testing
  • Multi-factor authentication
  • Encryption of nonpublic information in transit and at rest
  • Incident reporting: Covered entities must notify DFS within 72 hours of determining a cybersecurity event has occurred that materially affects the entity's ability to operate or the nonpublic information of consumers

This regulation adds a second notification clock for covered financial entities: the DFS 72-hour deadline runs in parallel with the AG's 30-day consumer notification deadline. Two clocks, two regulators, two enforcement tracks. From the moment of discovery.

Texas — Breach Notification

Texas imposes breach notification obligations with a reporting channel to the Texas Attorney General. Exact requirements depend on entity type, size, and the type of data and individuals affected.

General framework: Notice to affected individuals and to the Texas AG for breaches affecting 250 or more Texas residents.

Note: Texas breach notification law evolves; practitioners must verify the current statutory text against the specific facts of each incident.

Comparative Framework — Every Clock, Side by Side

JurisdictionOuter DeadlineNotification TriggerAG/Regulator NoticePrivate ActionMax Fine/Damages
California30 days from discovery (effective Jan 1, 2026)Unauthorized access to computerized PI of CA residentsYes — AG copy required when 500+ residents affectedYes — § 1798.150: $100–$750/consumer/incidentStatutory + punitive possible
New York30 days from discoveryUnauthorized access to computerized PI of NY residentsYes — AG notification + sector regulators (DFS for financial)Indirect — AG can seek damages; class actions via consumer protection theoriesAG can seek civil penalties; DFS can impose additional fines
Texas"In the most expedient time" — no explicit outer deadline in baseline statuteUnauthorized acquisition of PI of TX residentsYes — AG notice for 250+ residentsLimited direct private actionAG enforcement
EU (GDPR)72 hours to supervisory authority; "without undue delay" to individualsBreach of personal data likely to result in risk to rights/freedomsYes — supervisory authority (DPA)Via DPA enforcement; indirect private claimsUp to €20M or 4% worldwide turnover
EU (NIS2)24h early warning + 72h incident notificationSignificant incident affecting essential/important entityYes — national competent authority / CSIRTVia regulatory enforcement≥€10M or ≥2% turnover (essential); ≥€7M or ≥1.4% (important)

Enforcement Flowchart — Every Deadline, Every Track

Breach discovered (clock starts)
  │
  ├─ Within 72 hours: DFS notification (if NY financial institution)
  │
  ├─ Within 72 hours: GDPR notification (if EU personal data involved)
  │
  ├─ Within 72 hours: NIS2 incident notification (if EU essential/important entity)
  │
  ├─ Within 30 days: CA individual notification + AG copy (if 500+ CA residents)
  │
  ├─ Within 30 days: NY individual notification + AG notification
  │
  ├─ TX notification (no outer deadline — "expedient")
  │
  └─ Class action exposure begins from notification date
       → Plaintiff lawyers scan AG submissions and news for breach targets
       → Consumer class actions filed within weeks of public disclosure

Practitioner Takeaways

1. Design incident response to be "litigation ready" from day one. Document the discovery timeline in real time. Every entry in the incident response log is potentially discoverable. "When did you first know?" will be litigated. Create a formal record: first alert, first human review, first confirmation, scope determination, remediation completion.

2. The 30-day clock is not negotiable. The 2026 California and New York changes eliminated the ambiguity that allowed companies to argue they were still "determining scope." The law now provides limited exceptions (law enforcement delay; scope/integrity determination) — but these do not create unlimited extensions. If the 30-day outer limit passes, the company is presumptively in violation.

3. Delay arguments now face headwind. If a class action plaintiff can show the company knew about the breach (or should have known) more than 30 days before notifying, that is evidence of a statutory violation — and potential grounds for punitive damages under PC § 502 (if willful with malice).

4. The CCPA notice-and-cure window is strategic. The 30-day notice/cure window before suit is both a procedural hurdle for plaintiffs and a strategic window for companies to remediate and document remediation. Companies that act quickly and document their cure reduce both litigation risk and the punitive damages argument.

5. The $750 statutory minimum is a class action magnet. A company with 10 million California customers that experiences a breach of login credentials faces $7.5 billion in maximum statutory exposure (at $750/person). This means virtually every meaningful breach involving California residents will generate class action interest. Counsel should assess this exposure early and advise on settlement strategy before notification.

6. "Reasonable security" is the merits — document your security posture now. The CCPA private action requires a failure to implement "reasonable security." Companies with documented security programs, regular penetration testing, and incident response plans are in a stronger defensive posture. Companies that have never conducted a security assessment and store data in plaintext face a much harder defense.

Quiz

See: artifacts/quizzes/quiz-01b.md

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →