California SB446 And What You Need To Know

Welcome back to another episode of Cappuccino Chat. This time we're talking about something very important as California is changing a law. This is California SB 446 and what you need to know. All right, so this time we're talking about California SB 446. Now, most of us probably haven't heard of this before, but it is concerning California's data breach law. So, what we need to know is starting January 1st, 2026, so now, uh, businesses will have 30 days to notify people after a data breach, not reasonable time like it used to be, not as soon as possible, but a hard 30-day clock. So, at its core, SB 446 amends California databach notifications uh to put clear deadlines on when businesses must notify individuals and the attorney general after a data breach. So, what do we need to know? If your business handles any personal information from California residents, even if you're not in California, this will apply to you. So, why should you care? Well, this is because changes how fast your teams must detect, investigate, and communicate a breach. Now, a lot of us don't um know when there's a breach. Maybe your IT department doesn't uh have that kind of monitoring tools in there. But if it's ever found out uh due to external sources or you know hackers notifying the news, those kinds of things, it's basically when you're being notified, you then have 30 days. So, and if the impact if the incident impacts 500 or more Californians, you'll also have to send a sample notice to the attorney general within 15 days of telling your customers. So, that's a really quick turnaround even if you're, you know, as fast as you can be, everything's running smooth, your security team's on top of things, you're on top of things, you can get a hold of your attorney and all that other kind of stuff. That's really fast. Now, the law does still allow a delay if law enforcement says disclosure would hurt an investigation, right? So if they determine they need more time to uh determine the scope um those kinds of things do deal with the investigation. You can get more time or if you need time to restore system integrity um see how far the breach went. There's ways of um getting exceptions, but those exceptions are narrow and it's not your get out of jail free card, right? So, you got to make sure you know what you're doing when you apply for those uh to get that stuff. So, just assume you have 30 days when you're notified of a breach, right? So, some things you're going to want to do to get prepped for this so that you can stay on top of it is update your incident response plan if you have one with that 30-day uh deadline baked in. Right? You want to make sure that everybody um that's going to end up dealing with something like this both internally to your organization and externally is in the loop and aware of what's going on. So that's going to include your legal um your IT security if it's separate communication. So like PR, those kinds of things. You're going to want to make sure they're all aware of your incident uh response plan and who does what when all those kinds of stuff. Um, you're going to want to review any vendor or thirdparty contracts for notification obligations. So, let's say you have a cloud application. Um, you're going to want to make sure that you review that or get them to update that for you, letting them know that, hey, you're in California. So, if they get a breach and it's your, um, instance of that cloud software that you're running that gets breached and there's an issue, you have to notify your customers again, right? So, they have to notify you first. So, you got to make sure that that's being taken care of. Um, if you have a breach notification template, make sure that's all set up. That's something to go over with your legal department. You're going to want to train your team so that everybody knows the sound of the alarm and the sequence after detection. So, again, if they start noticing something, make sure they raise the incident up to your IT department um so that they can get them involved as soon as possible. Is it really a breach? Is it not a breach? You know, those kinds of things. So there are a lot of things that are not considered a true breach, right? So the breach would be um access to or the expiltration of data, right? So if they've got access to your systems live on the on your system, get into your database, they download all that stuff, they get all that data, they get access, those are those are breaches, right? So um you're also going to want to review your cyber insurance. Make sure your risk tolerances are in accordance with whatever that says so that if you know you your understanding is hey I understand I don't have this level of protection and I'm okay with it but maybe now you want to consider whether that's good enough anymore so to make sure that your controls and any of those security layers are in place so that you can meet these 30-day deadlines that we now have. So January 1. So now this is when this takes effect. So if you get a breach or um a software manufacturer that you deal with gets a breach one, they got to notify you within 30 days, but then you also need to notify your clients within that 30 days. So now let's be honest, nobody wants to deal with a data breach in the first place. Uh but this makes things very clear as far as California is concerned. when it does happen, you won't have time to wander around wondering what you got to do next, who you got to notify, who you got to contact, those kinds of things, right? So, cyber insurance company, IT, legal, all that stuff needs to be contacted and in what order does it need to happen, right? So, you also need to plan um that you've tested, refined, and can execute under some of these instances. So, do you have things laid out even in a rough format so that people don't jump the gun and start talking to the news when you haven't even notified legal, those kinds of things, you haven't even notified it, cyber insurance company, all those things. So, you need to need to make sure you understand the order in which those contacts happen because at the end of the day, you can't fix what you don't know is broken. And now if you find out it's broken, you've got even less time to tell people about it and notify them. So again, we are not attorneys, so please contact your legal counsel for their recommendations. I'm also going to be putting a link to a full blog article with some additional links into it concerning um this SB446 so that you can get some more information. Go over it again with your legal team, go over it with your internal team, and make sure that you're prepared. If any questions come up, please feel free to reach out to us at 760-770-52000.