News, Culture & Society

California: Data Breach Capital of the US

Data privacy regulations have become a household topic of discussion in recent years. The European Union’s General Data Privacy Regulation (GDPR) marked a turning point in how organizations manage the sensitive data entrusted to them by their users. Before, organizations could collect any data that they wanted and process it however they pleased with little fear of being called up for misuse. Under the new legislation, data privacy regulators have the power to call out these organizations and levy substantial penalties against them (the greater of 20 million euros or 4% of global turnover) for violations.

And GDPR isn’t the only new data protection regulation in existence. While many US states have passed data privacy regulations since GDPR was enacted, none of them is more famous than the California Consumer Privacy Act (CCPA). The CCPA mimics many of the features of GDPR and demonstrates that the state is committed to ensuring the protection of its residents’ personal data.

Ironically, recent data has demonstrated that California is the state that needed a strong data protection law the most. A study found that, of all US states, California was responsible for the most data breaches in the last ten years, both in terms of number of unique breaches and number of breached records. California’s activism in taking a step toward data protection in the US also may be vital to curbing the rash of data breaches that originate there.

Inside the California Consumer Privacy Act (CCPA)

California is known for having the most famous data protection legislation after the EU’s General Data Privacy Regulation (GDPR). The California Consumer Privacy Act (CCPA) was passed in 2018 but does not go into effect until January 1, 2020. Despite this, a variety of different amendments to the CCPA have already been proposed and passed that further define the new privacy legislation.

The CCPA has many of the same requirements for businesses that are required under the EU’S GDPR. Under the CCPA, any organization that falls under the jurisdiction of the regulation must comply with the following requirements :

  • Disclosure: Responding to a verified request for data collected about an individual
  • Access: Disclosure of types and purpose of data before collection
  • Deletion: Removal of an individual’s personal data upon request
  • Antidiscrimination: Inability to discriminate against a user based upon their exercise of CCPA-protected rights
  • Opt Out: Ability of individuals to refuse to have their data collected or processed
  • Privacy Policy: A description of the individual’s rights under CCPA and how to exercise them

If an organization violates the CCPA, they can be liable for penalties up to $2500 for each violation and $7500 if the violation is intentional. The goal of the legislation is to ensure that the private data of California residents is properly protected by the organizations that they entrust it to.

The California Data Breach Landscape

Why does California need such a high-profile data protection law? Recent research reveals a possible explanation: California has had the most data breaches of any state in the last 10 years.

Based upon the study, California is far and away the state with the most data breaches in the past decade. According to the research, California has suffered 1,493 data breaches since 2018, which have exposed about 5.6 billion records of individuals’ personal information. The second-place state in the study is New York with 729 breaches and 239 million records exposed. This is less than half as many breaches as California and less than a quarter as many exposed records.

In total, the US has had 9,696 data breaches in the same time period, of which California accounts for 15%, that exposed 10.7 billion records, of which California is responsible for over half. This demonstrates that, not only is California responsible for a disproportionate number of data breaches, the data breaches that originate in California are much more likely to expose a greater number of sensitive records. As a result, the new CCPA data protection regulation couldn’t be applied to a better state.

Protecting Sensitive Data

The EU’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the most famous data privacy regulations in existence, but they’re not the only ones out there. Many different US states have created their own data privacy regulations, but California’s is the best known.

However, it may also have been the most needed. As a result of these conclusions, organizations in California (and elsewhere) have plenty of incentive to improve their data protection solutions between their status as the data breach capital of the US and the CCPA regulation coming into effect in 2020.

Achieving compliance with the new regulation and creating effective defenses for data protection is a multi-stage and ongoing process. However, the first stage in this process is closing the most critical gaps in an organization’s defenses by deploying a strong data protection solution. Appropriately protecting an organization’s sensitive data requires knowing where it is, how it’s accessed, and what indicates a potential breach. Implementing a data protection solution that can answer these questions goes a long way toward preventing an organization from being the latest data breach headline.

Find local lawyers and law firms at