California Data Breach Law and Computer Hacking Litigation

About the author: Scott Lesowitz is a 2007 Harvard Law School graduate and former Assistant United States Attorney whose civil litigation practice is based in Southern California. Scott is a founding partner of Lesowitz Gebelin LLP. Scott lives in San Diego with his wife, three children, and bernedoodle. Scott represents clients throughout California, including San Diego, Los Angeles, and Orange Counties.

Data breaches and cybersecurity incidents often place businesses in immediate legal jeopardy. If hackers or other bad actors access or obtain personal or confidential information from your company, then your company is exposed to the risk of class action lawsuits and regulatory action. Early decisions upon learning of a potential data breach can have important consequences for your company’s potential liability.

Therefore, when a data breach occurs, in addition to retaining technical experts, your business needs a competent attorney who can help correctly and competently manage and mitigate the legal fallout from the data breach and to assess and advocate for the security measures your business had in place.

My law firm represents businesses in California in data breach and cybersecurity litigation matters. If you need legal assistance regarding a potential or actual data breach—whether your business is already a defendant in litigation or wisely wants to get ahead of potential litigation—I welcome you to contact me to discuss the matter. Below is a brief overview of some of the legal issues pertaining to data breaches and data breach litigation. The focus is on companies doing business in California, as my firm is based in Southern California.

Notification to Potential Victims is Required

If your company suffers a data breach, prompt notification of potential victims is required. Notification obligations may arise under state laws, certain federal regulations, and even international privacy laws.

Broadly speaking, the California Privacy Act requires that anyone conducting business in California that stores “personal data” must notify any California resident who is a potential victim of a data breach. Importantly, the “disclosure shall be made in the most expedient time possible and without unreasonable delay.” And a business that maintains computerized data that the business does not own must notify the owner or licensee of the information “immediately following discovery” of the breach. California law provides specifications regarding the content of any notices regarding data breaches.

There are also requirements to notify the credit bureaus that may be applicable.

[Sources: Cal. Civ. Code §§ 1798.29, 1798.82; Shah v. Capital One Financial Corporation, 768 F.Supp.3d 1033 (N.D. Cal. 2025); Baton v. Ledger SAS, 740 F.Supp.3d 847 (N.D. Cal. 2024).]

Liability for Data Breaches

If your business suffers a data breach involving personal data of customers, it will likely be sued under a number of theories, including potentially breach of contract (for violating any duties your business agreed to in any terms of service or other contracts with customers) and negligence.

To be liable for negligence, a key question will be whether your business’s data security measures and its actions responding to a potential data breach were reasonable and adequate. A key issue in litigation will be what security measures were in place and how the business responded once a potential breach was discovered.

Furthermore, when a data breach is occurring—or may be occurring—it is vital to respond quickly and to take the matter seriously. Your business should swiftly retain competent technical experts and legal counsel, as best as it reasonably can.

If litigation arises, beyond the question of negligence, a key question will be to what degree the victims of the breach can establish that they suffered damages and, relatedly, if they even have standing to sue. Usually, most victims cannot prove that the hackers used their personal data in a way that caused them a concrete loss. However, victims may be able to claim some damages, such as the need to pay for credit reporting services. While the amount of financial damages per victim may be low, if there are many victims, total potential liability can be high.

There is also the potential for civil liability and penalties from state attorney generals or even the FTC in certain contexts related to areas such as unfair privacy policies and improper data security practices.

[Sources: In re California Pizza Kitchen Data Breach Litigation, 129 F.4th 667 (9th Cir. 2025); In re AT&T Inc. Customer Data Sec. Breach Litig., 737 F. Supp. 3d 1350, 1352 (U.S. Jud. Pan. Mult. Lit. 2024); In re Accellion, Inc. Data Breach Litigation, 713 F.Supp.3d 623 (C.D. Cal. 2024); TransUnion LLC v. Ramirez. 594 U.S. 413 (2021).]

Data Security is Not only about Hacking

It is important to remember that protecting customer data goes beyond protecting the data from nefarious outsiders and hackers. It is beyond the scope of this article to list all potential requirements businesses must comply with to protect their customers’ privacy and data. However, a few requirements include the requirements that a business comply with its own privacy notices and statements and that businesses only display the ends of credit card numbers in many contexts. As is often reported, a business’s employees are often the most vulnerable links in the business’s data and internet security efforts.

Additionally, there are many online privacy laws that are applicable under state, federal, and international law that are constantly operative and not tied to data breaches. For example, the California Privacy Rights Act (CPRA) contains robust requirements related to privacy. In certain contexts, consumers, the California Privacy Protection Agency, and the California Attorney General can enforce the provisions of the CPRA.

[Sources: Cal. Civ. Code § 1798.100, et seq.; Tex. Bus. & Com. Code Ch. 541; Va. Code § 59.1-571 et seq.; Briskin v. Shopify, Inc., 135 F.4th 739 (9th Cir. 2025).]

ATTORNEY ADVERTISING – PRIOR RESULTS DO NOT GUARANTEE SIMILAR OUTCOMES IN THE FUTURE. YOUR USE OF THIS SITE IS SUBJECT TO THIS DISCLAIMER AND TERMS OF USE.