California's breach activity is accelerating, and premiums are going to follow. The California Attorney General's breach list already shows dozens of 2025 incidents, with notifications running into early 2026. Combine that with tightening regulations and ballooning vendor exposure, and you've got a risk environment that carriers cannot price the same way they did two years ago.
What the AG's List Actually Shows
The AG's database isn't giving us aggregated year-over-year totals, so I can't tell you breach volume is up 40% from 2023. What it does show is relentless, ongoing activity across every sector. The Automobile Club of Southern California reported a breach from July 2025. California Casualty Indemnity Exchange flagged a September 2025 breach. The Superior Court of California, County of San Joaquin reported a breach from October 2024 that wasn't notified until November 2025. These aren't isolated incidents. They're a pattern visible just scrolling through a single public page.
And the notification delays matter here. Ericsson Inc had a breach in April 2025 and didn't notify until March 2026. Marquis Software Solutions breached in August 2025, notified in December 2025. These gaps have regulatory consequences now.
The Notification Clock Just Got Tighter
California's SB 446 introduced a 30-day notification standard. According to Privacy Rights Clearinghouse's 2025 Data Breach Report, fewer than 10% of 2025 breaches met that standard. That means the overwhelming majority of California-involved entities are already out of compliance with a rule that's only going to get more consequential as enforcement ramps up.
That compliance gap has a direct line to your clients' liability exposure. Regulatory fines, mandatory notifications, and litigation costs all feed into loss ratios. Carriers see this. They price it.
Vendor Risk Is the Real Driver
Nationally, the same Privacy Rights report found that in 2025, 8,019 breach notifications captured 4,080 unique events affecting 375 million individuals. Eight of the 20 largest breaches occurred at service providers, affecting 231 million people combined. That's a vendor-chain problem, and California's economy, heavily concentrated in tech, healthcare, and financial services, sits right in the middle of it.
Your client might have clean internal security. It doesn't matter if their payroll processor, their cloud storage vendor, or their benefits platform gets hit. The claim lands on their policy either way.
Regulatory Pressure Is Stacking Up
California isn't just enforcing breach notification. The CPPA launched its DROP system in 2025, which standardizes deletion requests across more than 500 data brokers. New rules around data protection impact assessments, cybersecurity audits, and automated decision-making technology are also in motion. The CPPA's first wave of enforcement actions hit Tractor Supply, Todd Snyder, and Honda.
This matters to you because every new compliance requirement your clients fail to meet is a potential coverage trigger or a gap in their existing policy language. CCPA-related liabilities aren't always cleanly covered. Check the policy wording. Some carriers exclude regulatory fines explicitly. Others have sublimits on privacy regulatory defense costs that haven't been updated since 2021.
What to Do With This
I couldn't find California DOI rate filings or carrier-level data directly linking this breach volume to specific premium increases. Anyone telling you they have a precise number is probably extrapolating. But the underlying logic is straightforward: higher frequency, larger vendor exposures, stricter notification windows, and an active state regulator all push loss ratios up. That gets reflected at renewal.
Pull your California book and flag any clients in healthcare, financial services, or tech with significant third-party data dependencies. Those are the accounts where the vendor-chain exposure is highest and where a breach notification compliance gap is most likely to produce a bad outcome. Before renewal conversations start, you want to know whether their contracts with vendors include breach notification timelines that actually align with the 30-day SB 446 standard. Most don't.
Also worth revisiting: any client who's been breach-free for several years and is quietly assuming their premium will hold flat. The market isn't pricing California risk based on individual account history alone. It's pricing the environment. And the environment has gotten worse.