California Mandates New Data Security Measures for Employers

California's Data Security Law

California Governor Gavin Newsom signed the Employee Data Protection Act into law on June 10, 2026. This new legislation mandates stringent data security measures for employers handling employee information, effective January 1, 2027. Companies with operations in California, regardless of size, must comply with these enhanced requirements to avoid significant penalties.

Key Provisions

The law, codified under California Civil Code Section 1798.91.50, stipulates that employers must implement "reasonable security procedures and practices" to protect employee data. This includes personal identification information, financial data, and any health-related data collected during employment. The statute defines "reasonable security" as measures that are appropriate to the nature of the information, the size of the business, and the resources available to the employer.

Action Items for Employers

1. Conduct a Data Security Audit: Employers must review current data protection protocols to ensure they meet the new standards. This includes assessing data encryption methods, access controls, and breach detection systems.

2. Update Privacy Policies: Companies should revise their privacy policies to reflect compliance with the new law. This involves clearly outlining data collection practices and security measures in employee handbooks and onboarding materials.

3. Employee Training Programs: Employers are required to provide training to employees on data protection practices. This training should cover the importance of data security and the specific measures in place to protect employee information.

4. Incident Response Plan: Develop or update an incident response plan that outlines procedures for addressing data breaches. This plan should include steps for notifying affected employees and regulatory bodies within the required timeframe.

Penalties for Non-Compliance

Failure to comply with the Employee Data Protection Act can result in penalties of up to $7,500 per violation. The California Attorney General's office is tasked with enforcement, and companies may face additional civil liabilities if employee data is compromised due to negligence.

Broader Implications

This legislation aligns with California's ongoing efforts to enhance privacy and data security, following the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). While the new law specifically targets employee data, it signals a broader trend towards increased regulatory scrutiny on data protection practices nationwide.

Employers operating in California should act promptly to ensure compliance by the January 1, 2027 deadline. Failure to do so could result in significant financial and reputational damage.