Recent California Breaches Reveal Oversight Gaps in SMBs
The California AG's breach database and the CPPA's 2026 enforcement actions tell a story that should change how you're assessing SMB accounts. Smaller businesses are showing up repeatedly in California breach disclosures, they're getting hit with fines they're not structured to absorb, and two new 2026 regulations have raised the compliance floor dramatically. The SMBs in your book who aren't tracking this are walking into material underwriting problems.
What the California Data Actually Shows
Look at the CA AG breach database for late 2025 and early 2026. Santa Cruz Community Health reported two separate breaches, one on 10/02/2024 and another on 11/01/2024, both disclosed on 01/16/2026. OLE Health, doing business as CommuniCare + OLE, filed the same day. SPCorp Services reported a breach dated 09/26/2025. These aren't enterprise firms with mature security operations. They're regional healthcare providers and services companies. The CA AG database doesn't segment by business size, so I can't give you a California-specific frequency stat. But the Verizon DBIR has been consistent on this point: businesses with fewer than 100 employees account for 58% of data breaches. Nothing in recent California filings contradicts that pattern.
The Penalty Picture Is More Complicated Than It Looks
I want to be honest about what the enforcement data does and doesn't say. The CPPA's January 2026 enforcement actions fined Rickenbacher Data LLC (a Texas SMB data reseller operating as Datamasters) $45,000 for failing to register as a data broker and ordered the company to stop selling California personal information entirely. That same round of enforcement hit S&P Global with a $62,600 fine for the same registration failure. So the dollar amounts aren't wildly different. What is different is the operational impact. A $45,000 fine plus a sales ban is existential for a small data reseller. For S&P Global, it's a rounding error.
The structural penalty exposure is where things get serious for your SMB clients. Under the CCPA's current post-2024 adjusted penalty schedule, violations run up to $2,663 per violation, or $7,988 per intentional violation or violation involving a child's data, with each affected consumer counted separately. A breach touching several thousand California residents isn't just a notification headache. It's a potential seven-figure exposure for a company that doesn't have the reserves or the legal infrastructure to fight it.
Two Regulations That Rewrote the Rules Starting January 2026
This is the part your SMB clients almost certainly don't know about.
California's CCPA Cybersecurity Audit Rule, codified at Cal. Code Regs. tit. 11, §§ 7120–7124 and effective January 1, 2026, requires covered businesses to conduct annual audits across 18 specific security controls, including MFA and encryption, certify the results under penalty of perjury, and retain documentation for five years. The CPPA can demand those documents within 30 calendar days. The thresholds pull in SMBs with annual gross revenues above $26.6 million, those processing data on more than 250,000 consumers, or those handling sensitive personal information on more than 50,000 consumers. A regional healthcare provider or mid-sized services firm can hit those numbers faster than they'd expect.
Then there's SB 446, also effective January 1, 2026. It replaced California's vague "expedient time" notification standard with hard deadlines. Thirty calendar days to notify affected residents from the date of discovery. AG notification within 15 days of consumer notice if the breach affects more than 500 California residents. For a company with no incident response plan and no outside counsel on retainer, 30 days is not a lot of runway.
What to Do With This on Your Next SMB Renewal
Pull your SMB healthcare and services accounts and ask two questions. First, do they know whether they're covered by the audit rule thresholds? Most won't have checked. Second, do they have a documented incident response plan with a legal notification workflow? If the answer to either is no, that's a coverage conversation and a pricing conversation.
The audit rule creates something useful for you: a defined "reasonable security" benchmark. When a covered SMB can't show they've done the required audits, a carrier looking at a breach claim has a much shorter path to a coverage dispute. Your client needs to understand that before a breach happens, not after. I couldn't find primary data on how carriers are currently adjusting SMB cyber pricing in response to these specific regulations, so I won't pretend there's a uniform market response yet. But the underwriting logic is straightforward, and you can walk your clients through it without waiting for rate filings to confirm what's obvious.