1.Key Changes Under SB 446

Under the new provisions, any business or individual that owns, licenses, or maintains personal information of California residents must:

♦  Notify affected consumers within 30 calendar days of discovering or being notified of a breach.
♦  Notify the California Attorney General within 15 calendar days of consumer notification if the breach affects 500 or more residents.
♦  Provide notices written in plain language and labeled “Notice of Data Breach,” including key details such as the date of the breach, types of information exposed, and contact resources for affected individuals.
♦  Retain the ability to delay notification only when law enforcement determines that notice would impede an active investigation or when a short delay is necessary to identify the scope of the breach and restore system integrity.

2.Who’s Covered and What Counts as Personal Information

The law applies to any entity doing business in California or holding the personal information of its residents. “Personal information” is defined broadly to include a name in combination with one or more sensitive identifiers such as a Social Security number, driver’s license number, financial-account data, medical or health insurance information, or biometric identifiers.

3.Why This Matters to Mortgage Companies

Mortgage lenders, brokers, and loan originators handle large volumes of borrower data that fall squarely within the scope of SB 446. These records often include tax returns, bank statements, credit reports, and government-issued identification—all considered “personal information” under California law.

1. Tighter Deadlines Increase Operational Pressure: Mortgage companies now have only 30 days to notify borrowers affected by a breach and 15 days to notify the Attorney General if 500 or more California residents are involved. Investigation, verification, and coordination with vendors will need to occur much faster than under previous standards.

2. Third-Party Vendor Exposure: Many mortgage businesses rely on LOS providers, credit vendors, CRM platforms, and marketing partners—each storing sensitive borrower data. If a vendor experiences a breach, the lender may still bear the notification burden. Vendor contracts and oversight programs should therefore include explicit SB 446-compliant notice provisions.

3. Overlap with Federal and Multi-State Obligations: The Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule already require data-security programs and breach responses, but California’s deadlines are stricter. For multi-state mortgage lenders, California’s rule will likely set the new operational benchmark.

4. Reputational and Legal Exposure: Breach notices filed with the California Attorney General are public records, meaning delayed or incomplete notifications can draw attention from regulators, consumers, and the press. Non-compliance could also create exposure under the California Consumer Privacy Act (CCPA) and invite class-action litigation.

5. Practical Action Steps

◊ Review and update your incident-response plan to ensure compliance with the 30- and 15-day timelines.
◊ Audit your vendor contracts to verify that third-party service providers are bound to meet California’s new requirements.
◊ Conduct mock breach exercises with IT and compliance teams to identify bottlenecks.
◊ Align your GLBA Safeguards policies and documentation with California’s accelerated notice requirements

4.Bottom Line

SB 446 positions California as one of the most stringent states for breach-notification compliance. For mortgage companies and their vendors, this means faster investigations, more structured reporting, and closer coordination between compliance and IT. With the rule effective January 1, 2026, now is the time to tighten internal procedures, update vendor agreements, and train staff on accelerated response expectations.