For purposes of California’s data breach notification law, discovery occurs when an organization knows, or reasonably should know, that personal information has been accessed or acquired without authorization.

California’s breach notification framework has changed in a meaningful way. As of January 1, 2026, organizations operating in California are subject to a defined statutory timeline for notifying affected individuals following a data breach.

Under current law, organizations must notify California residents within 30 calendar days of discovery of a reportable breach.

While much of the attention has focused on the length of this window, the more consequential change lies in the definition itself. The law no longer treats discovery as a flexible or interpretive concept. Instead, it establishes discovery as the legal trigger for compliance obligations, enforcement scrutiny, and potential exposure.

Understanding what discovery means, and why that definition now carries legal consequences, is central to compliant incident response.

California Civil Code §1798.82 ties breach notification obligations to the point at which an organization knows, or reasonably should know, that personal information has been accessed or acquired without authorization.

This definition is intentionally broader than technical confirmation.

Discovery does not depend on a completed forensic investigation, a confirmed scope of affected records, attribution to a known threat actor, or a finalized incident response report.

Instead, discovery occurs when available facts and circumstances would lead a reasonable organization to conclude that unauthorized access may have occurred.

This framing reflects a legal standard of awareness, not certainty. Under the updated framework, organizations are expected to act based on reasonable knowledge, not perfect information.

Where Discovery Commonly Occurs in Practice

In real environments, discovery often occurs earlier than organizations expect.

Examples include anomalous authentication activity involving privileged accounts, notifications from third parties that organizational credentials have appeared in breach data, unexplained changes to administrative access or security configurations, or internal reports indicating that systems were accessed outside of normal patterns.

Notifications from vendors or service providers regarding incidents that affect shared data may also constitute discovery, even if the organization has not yet validated the full scope of impact.

In each of these situations, an organization may lack complete understanding of what occurred. However, it possesses sufficient information to reasonably suspect unauthorized access. Under the statute, that awareness is enough to trigger legal obligations.

Under the prior “without unreasonable delay” standard, organizations had discretion to balance investigation, remediation, and notification. The updated statute replaces that flexibility with a defined clock.

Because the notification timeline now runs from discovery, the definition itself determines whether an organization is compliant.

If discovery is identified late, even well-intentioned response efforts may fall outside statutory timelines. If discovery is identified early but not escalated, organizations may struggle to defend notification timing under regulatory review.

The definition matters because it establishes when statutory obligations begin, how response timelines are measured, and what decisions will be evaluated after the fact.

Discovery is no longer an internal technical concept. It is a compliance boundary.

How Regulators Evaluate Discovery Decisions

Regulatory review increasingly focuses on process and documentation, not just outcomes.

When assessing compliance, regulators consider when the organization first became aware of indicators suggesting unauthorized access, how that information was evaluated, who had authority to determine whether discovery had occurred, and what documentation exists to support timing decisions.

An organization that notifies within 30 days of confirmed impact, but cannot explain why earlier indicators did not constitute discovery, may still face enforcement risk.

The absence of a clear internal definition or documented escalation process can undermine an organization’s ability to defend its response, even where technical remediation was effective.

Discovery Is an Operational Issue, Not a Tool Issue

The updated framework shifts breach response from a technical exercise to an operational one.

Discovery depends on how alerts are reviewed, how information moves between IT, legal, and leadership, and how decisions are recorded. These are governance and process questions as much as security questions.

Organizations that treat discovery as a moment of technical certainty risk compressing timelines in ways that are difficult to recover from once scrutiny begins.

Preparing for the Consequences of Discovery

The practical implication of California’s updated breach notification rule is straightforward. Organizations must be prepared to recognize discovery when it occurs, not retroactively.

This requires shared internal understanding of what constitutes discovery, defined escalation paths when indicators arise, clear decision authority around notification timing, and documentation practices that support defensible timelines.

Designing these elements during an active incident is rarely effective.

Why This Matters Now

California’s 30-day notification requirement does not assume organizations will have complete information before acting. It assumes preparedness and disciplined response.

For organizations operating in California, compliance now depends less on how quickly a breach is resolved and more on how clearly discovery is identified, escalated, and documented.

The definition of discovery is no longer academic. It carries direct legal consequences.

How Vision Quest Supports Readiness

In our work, we frequently see uncertainty around discovery thresholds, escalation responsibility, and documentation, often more so than technical failure.

A Cybersecurity Risk Assessment provides a structured way to evaluate how these elements function in practice, before timelines are compressed and decisions are scrutinized. The goal is not to predict incidents, but to ensure that when indicators arise, organizations are prepared to respond within defined legal boundaries.

Get Started