Apr 22, 2026
A woman sitting at a desk with a laptop, focused on California's new data breach notification law for employees.

If your employer experienced a data breach, how long should it take before you find out? Under California’s new data breach notification law, the answer is no longer “whenever they get around to it.” As of January 1, 2026, employers and businesses have a hard 30-day deadline to notify you, and failing to meet it can have serious legal consequences.

At Bibiyan Law Group, our experienced data breach lawyer team helps California employees understand their rights when their personal information is exposed. As part of our broader employment law practice, we evaluate your legal options, pursue maximum compensation, and push for stronger protections from the companies that failed you.

What Is California’s SB 446?

California Senate Bill 446, signed into law by Governor Gavin Newsom and effective January 1, 2026, amends the state’s existing data breach notification statute under California Civil Code §1798.82. The new law replaces the old “without unreasonable delay” standard with a firm 30-calendar-day deadline.

What that means in plain terms: if a company discovers that your personal information was compromised in a data breach, they have 30 days to notify you. No exceptions, no vague timelines.

Before SB 446, that requirement was far more flexible. There was no hard deadline, which meant some employees and consumers went months, or even over a year, without ever learning their data had been stolen or exposed. State Senator Melissa Hurtado, who authored the bill, called this gap a “critical loophole” in California’s data protection laws. SB 446 closes it.

What Does the 30-Day Deadline Actually Mean?

The 30-day clock starts the moment a company discovers, or is informed of, the breach. Here is what the law now requires:

Individual notification must be sent within 30 calendar days of discovering the data breach. The Attorney General must be notified within 15 calendar days of notifying affected individuals if the breach impacts more than 500 California residents. Written notice must clearly describe what happened, what personal information was involved, and what steps the company is taking to address the breach.

The notice must include five specific sections: what happened, what information was involved, what the company is doing about it, what you can do to protect yourself, and contact information for follow-up.

There are two narrow exceptions that may delay notification. A company may delay if a law enforcement agency determines that notification would interfere with a criminal investigation, or if more time is needed to determine the full scope of the breach and restore the integrity of their system. These exceptions are limited and must be documented.

Why This Matters for California Employees

If your employer stores your personal information, and almost all employers do, this law directly protects you. Employee data is among the most commonly exposed in workplace data breaches. This includes:

Social Security numbers, which are used to open fraudulent accounts or file false tax returns. Direct deposit and bank account information, which is vulnerable to unauthorized transactions. W-2 tax forms, which are frequently targeted in payroll and HR-related breaches. Protected health information (PHI), such as medical records, disability forms, leave requests, and insurance data that employers store on file. Personally identifiable information (PII), meaning any data that can be used to identify, locate, or harm you, including your name, address, date of birth, and login credentials.

When your employer waits too long to tell you about a breach, you lose valuable time to freeze your credit, monitor your accounts, change your passwords, or take other protective steps. The 30-day deadline exists to make sure you are not left in the dark while your information is being misused.

What If Your Employer Fails to Notify You in Time?

Missing the 30-day deadline is not just a compliance issue. It can be evidence of inadequate security practices and can expose your employer to significant legal liability.

Under the California Consumer Privacy Act (CCPA), a failure to provide timely notification may support a data breach claim allowing affected individuals to seek statutory damages of $100 to $750 per consumer per incident, even without proving actual financial harm. The California Attorney General can also pursue civil penalties and substantial fines for companies that fail to comply.

For employees, a delayed or missing notification may also be relevant to other legal claims, particularly if the employer’s failure to act contributed to identity theft, financial loss, or emotional distress.

If you were not notified of a data breach within 30 days, or if you discovered your information was compromised but your employer never told you, you may have grounds to file a data breach lawsuit in California. Speaking with a data breach lawyer as soon as possible gives you the best chance of understanding your options and preserving your claim. If the breach affected a large group of employees, you may also qualify to participate in a class action lawsuit.

What You Should Do If Your Information Was Exposed

If you believe your employer has experienced a data breach, whether or not you have received formal notice, here are the steps to take immediately.

Monitor your financial accounts for any unusual transactions or unfamiliar activity. Place a credit freeze or fraud alert with all three major credit bureaus: Equifax, Experian, and TransUnion. Review your credit reports at AnnualCreditReport.com for accounts you did not open. Change passwords for any accounts connected to information your employer holds. Document everything, including any notification you received, when you received it, and any harm you have experienced as a result. Finally, consult a data breach lawyer, especially if your employer failed to notify you on time or if you have suffered financial or emotional harm.

Contact a Data Breach Lawyer in Los Angeles

California’s new 30-day notification rule is a significant step forward for employee and consumer rights, but the law only protects you if you know how to use it. If your employer failed to notify you in time, or if you have suffered harm because of a workplace data breach, you may be entitled to compensation.

Bibiyan Law Group helps California employees understand their rights and pursue data breach claims when employers fail to meet their legal obligations. Our team is experienced in both individual and class action data breach lawsuits, and we work on a contingency basis, meaning you pay nothing unless we win.

For a deeper understanding of your rights, visit our Data Breach practice area page.

Contact us today to schedule your free consultation and take the first step toward protecting your rights.

Frequently Asked Questions

Does SB 446 apply to all employers in California?

Yes. SB 446 applies to any individual or business that conducts business in California and owns or licenses computerized data that includes personal information. This covers the vast majority of California employers.

What counts as “personal information” under this law?

Personal information includes any personally identifiable information (PII) such as Social Security numbers, driver’s license numbers, and financial account details, as well as protected health information (PHI) like medical records, insurance data, or disability documentation. If the exposed data could be used to identify or harm you, it likely qualifies.

Can I sue my employer if they missed the 30-day notification deadline?

You may have legal options, including a data breach claim under the CCPA or a broader data breach lawsuit depending on your circumstances. Consulting with a data breach lawyer is the best way to understand whether you have a viable case.

What if I found out about the breach from a news report instead of my employer?

That may be a sign that your employer failed to meet their notification obligations. If the breach affected you and you were not properly notified, you should document when you first learned about it and speak with an employment attorney.

How long do I have to take legal action after a data breach?

Statutes of limitations vary depending on the type of claim. Acting quickly is always in your best interest. The sooner you consult with a data breach lawyer, the more options you are likely to have.

Disclaimer: This is for informational purposes only and does not constitute legal advice. It does not create an attorney-client relationship. Legal results are not guaranteed and vary by case. Bibiyan Law Group P.C. also operates as Tomorrow Law.

Author Photo
Rate this Post

For Legal Solution

Free Consultation

  • This field is for validation purposes and should be left unchanged.

TESTIMONIALS

Customer Reviews

This law firm was extremely helpful and successful in my case. In a matter of 7 months they were able to settle my case! Joshua, Ariella, Vedang, and Iona were my attorneys and Aaron were extremely helpful in my case, always responsive and helped with any questions I had about my case. I was turned down by a few other law firms but this law firm took me seriously and won! I’m very satisfied with all of their services.

Fiorela A

They will always answer your calls and call you with updates to keep you informed. I had the pleasure of working with many of them and they are all great individuals. Bibiyan Law Group won two of the two cases I had with them and I’m pretty happy with them. I would recommend you give them a call.

Jose B

Super nice people. I opened a case with them and it took a while like most cases do but they made it very easy for me. I basically just told them what happened and they handled everything until the case closed while updating me in between and answering questions if I had any. Thank you!

Kaley C

Bibiyan Law Group was by far a great choice to make for my wrongful termination lawsuit. They kept me in the loop with all the details and supported me along the way until I received my settlement. Thank you for everything. Would recommend!

Charles S
View All