The California Attorney General's breach portal is one of the most useful prospecting tools you're not using. Public breach filings name companies, sectors, and breach types. Cross-reference them with your book of business and your prospect list, and you're not cold-calling anymore. You're calling someone who just had a problem, or who works in a sector where that problem is spreading fast.
The Breach Volume Tells You Where to Look
California recorded 40 data breaches in just the first three weeks of January 2026, compared to 23 breaches for all of January 2025. That's not a statistical blip. That's a signal about where claims are going to come from this year. If you're not orienting your prospecting toward California-exposed businesses right now, you're waiting for your competitors to get there first.
The AG Portal Is a Free Lead Generator
The California AG breach report portal is public. You can search it by industry, date range, and company name. Filings like SB24-619492 are sitting there with company details, breach type, and affected population counts. That's a warm lead with documented exposure. Call them about coverage before someone else does.
The legal sector is worth a specific look. The State Bar of California disclosed a breach where 1,034 confidential records were accessed and notifications went to roughly 1,300 individuals. Law firms and legal service providers handle privileged client data and tend to underestimate their own exposure. They're not a hard conversation to start.
The 30-Day Clock Changes the Risk Math
SB 446, effective January 1, 2026, replaced California's vague "expedient time" breach notification standard with a hard 30-calendar-day deadline from discovery. If the breach affects 500 or more California residents, the AG report is due within 15 days of consumer notification. That's a compressed timeline that creates real operational pressure on any business that doesn't have an incident response plan and a claims process already in motion.
Most small and mid-size businesses don't have either. That's your opening. The question isn't whether they need coverage. It's whether they understand what happens when they blow a regulatory deadline. Walk them through it.
New Audit Requirements Create a Compliance Conversation
California now requires mandatory annual cybersecurity audits for businesses meeting certain revenue and data-handling thresholds, with certifications due to the California Privacy Protection Agency on a staggered schedule by April 1 each year. An independent auditor requirement is not cheap. And when an audit surfaces a gap, coverage questions follow immediately. If you're already in the room with a prospect during audit prep season, you're not selling. You're solving.
AI Exposure Is a Real Coverage Gap Right Now
SB 53 and the AB 853 amendments require risk-management frameworks for generative AI, disclosure obligations, and reporting of what the statute calls "catastrophic" AI safety incidents. A lot of businesses are using AI tools without having mapped what data those tools touch or what a disclosure obligation under SB 53 would actually trigger. I couldn't find solid data on how many current cyber policies explicitly cover AI-related incidents in California, but anecdotally the policy language is trailing the regulation. That's a coverage conversation worth having with every client who's touched GenAI in the last 18 months.
CCPA Litigation Risk Adds Liability Pressure
It's not just regulatory enforcement you're selling against. Freshfields' 2026 data law trends report documents a surge in US data breach class actions driven by expansive CCPA interpretations, including suits over cookies and tracking pixels. A business doesn't need to suffer a traditional breach to land in litigation. That's a meaningful shift in how you frame the liability exposure when you're talking to a prospect who thinks their risk is low because they "don't store credit cards."
Where to Start This Week
Pull up the AG portal and search for filings in the industries where you already write business. Look at the breach dates and cross-reference with your renewal schedule. Any company in a breached sector facing a renewal in the next 90 days is a conversation you should already be having. The data is public. The outreach is on you.