WeVote

Bill

Bill

SB 1386

Administrative adjudication: governing procedure.

2025-2026 Regular Session Introduced by Roger Niello

Requires prompt breach notices to California residents when unencrypted personal data is compromised, with flexible methods and possible delays for investigations.

Referred to Com. on RLS.
0
WeVote Research Nonpartisan
Bill Summary · SB 1386

Overview

SB 1386, from the 2025-2026 California session, addresses notification requirements when there is a breach of the security of personal data. The bill focuses on who must notify, what constitutes personal information, acceptable notice methods, and circumstances that allow delayed or substitute notices. It builds on existing California privacy and data security laws by clarifying definitions and procedures related to breach notifications for entities that own or license computerized data containing personal information.

Purpose and intent

  • Ensure timely and effective notification to California residents when their unencrypted personal information is compromised due to a security breach.
  • Clarify who is responsible for notification (state agencies, businesses, or entities that maintain data) and what counts as a breach.
  • Provide flexibility in notification delivery (written, electronic, or substitute notice) and allow for delay when law enforcement investigations would be obstructed.
  • Align notification obligations with existing state law on data handling, destruction of records, and civil remedies.

Key provisions and changes

  • Applicability:
    • Applies to state agencies and any person or business that conducts business in California and owns or licenses computerized data containing personal information.
  • Definition of breach:
    • A “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the organization.
  • Personal information:
    • Defined as an individual's first name or first initial plus last name, in combination with any of the following when not encrypted:
    • Social Security number
    • Driver’s license number or California ID card number
    • Account number or credit/debit card number with required security code, access code, or password
    • Excludes publicly available information that is lawfully made available in government records.
  • Exceptions:
    • Good faith acquisition by an employee or agent for agency purposes is not a breach if the information is not used or disclosed further without authorization.
  • Notice requirements:
    • Notice must be provided to the affected California resident upon breach.
    • Notice methods:
    • Written notice
    • Electronic notice (compliant with the electronic records and signatures standards in 15 U.S.C. § 7001)
    • Substitute notice when cost or scope is prohibitive or contact information is insufficient:
      • Email notice if an email address is available
      • Prominent posting on the agency’s website
      • Notification to major statewide media
  • Delay of notice:
    • Notification can be delayed if a law enforcement agency determines that notification would impede a criminal investigation.
  • Coordination with owners/licensees:
    • Agencies or entities maintaining data that includes personal information owned by another must notify the owner or licensee of any breach.
  • Integration with existing law:
    • Acknowledges that other California laws regulate personal data maintenance, disclosure, destruction, and provide civil remedies for violations.

Who is affected

  • State agencies in California that maintain personal data.
  • Private entities and businesses with California operations that own or license computerized data containing personal information.
  • Individuals whose unencrypted personal information is compromised.
  • Owners or licensees of data who must be notified if their information is breached.

Procedural and timeline aspects

  • Notification timeline:
    • Timely notification to affected residents is required, with possible delays if law enforcement investigations warrant it.
  • Substitute notice:
    • Triggered when costs exceed $250,000, or the affected class exceeds 500,000, or contact information is insufficient.
    • Substitute notice components include: email (if available), conspicuous website posting, and major statewide media alerts.
  • Compliance and remedies:
    • Builds on existing California frameworks for disclosure, destruction of records, and civil remedies for violations.

Practical impact and considerations

  • For entities:sb 1386 clarifies when and how to notify residents and provides a framework for delayed or substitute notices, potentially reducing disruption during ongoing investigations.
  • For residents: clearer expectations on receiving prompt breach notices and the means through which notices may be delivered.
  • For policymakers and agencies: reinforces accountability for data protection and aligns breach notification practices with state privacy objectives.

Note: This summary focuses on statutory provisions as described in the bill text and action history. For enforcement details, thresholds, and any amendments, refer to the official bill language and legislative analyses.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.