California SaaS Data Breach Demand Letters

CCPA Section 1798.150 | Vendor Security Failures | Breach Notification Violations | Negligence Claims

California SaaS Data Breach Legal Framework

SaaS Vendor Liability: When a SaaS vendor experiences a data breach affecting your personal information, California law provides multiple avenues for recovery. The CCPA (Cal. Civ. Code Section 1798.150) provides a private right of action for security failures, while California's breach notification laws (Sections 1798.29 and 1798.82) impose strict disclosure requirements. Common law negligence claims may also apply.

CCPA Private Right of Action (Section 1798.150)

The California Consumer Privacy Act provides consumers with a limited but powerful private right of action for data breaches:

Element	Requirement
Security Failure	Business failed to implement and maintain reasonable security procedures and practices
Breach Result	Failure resulted in unauthorized access, theft, or disclosure of personal information
Data Type	Nonencrypted and nonredacted personal information (as defined in Section 1798.81.5)
Statutory Damages	$100 to $750 per consumer per incident, OR actual damages (whichever is greater)
30-Day Notice	Must provide 30 days' written notice and opportunity to cure before filing suit

30-Day Notice Requirement: Before filing a lawsuit under CCPA Section 1798.150, you MUST send the SaaS vendor written notice identifying the specific violations and allow 30 days to cure. If the vendor cures the violation and provides written confirmation, statutory damages may be limited. This notice is mandatory - failure to provide it will result in dismissal of your damages claim.

California Data Breach Notification Laws

California Civil Code Sections 1798.29 (government agencies) and 1798.82 (businesses) impose strict breach notification requirements:

Trigger: Unauthorized acquisition of unencrypted computerized data containing personal information
Timing: Notification must be provided "in the most expedient time possible and without unreasonable delay"
Personal Information Defined: Name plus SSN, driver's license, financial account, medical info, health insurance, biometric data, or login credentials
AG Notification: If breach affects 500+ California residents, must notify California Attorney General
Content Requirements: Must include "Notice of Data Breach" header, description of incident, types of data compromised, company response, and contact information

Negligence Standards for SaaS Vendors

Beyond CCPA statutory claims, common law negligence provides an additional avenue for recovery:

Duty of Care: SaaS vendors handling personal information owe a duty to implement reasonable security measures
Industry Standards: Security should meet or exceed industry standards (SOC 2, ISO 27001, NIST Cybersecurity Framework)
Known Vulnerabilities: Failure to patch known security vulnerabilities within reasonable time constitutes negligence
Third-Party Access: Vendors must properly vet and monitor subprocessors and third-party integrations
Encryption: Failure to encrypt sensitive data at rest and in transit may be negligent per se

Standing Requirement: To pursue a data breach claim, you must demonstrate actual harm - not just exposure risk. Document concrete injuries including: fraudulent charges, identity theft, time spent addressing the breach, credit monitoring costs, and emotional distress with supporting evidence.

Key California Civil Code Provisions

Code Section	Coverage
Section 1798.150	CCPA private right of action for security failures; $100-$750 statutory damages
Section 1798.82	Business breach notification requirements to affected individuals
Section 1798.29	Government agency breach notification requirements
Section 1798.81.5	Definition of personal information for breach notification purposes
Section 1798.100 et seq.	CCPA/CPRA general privacy rights (AG enforcement only)

Common SaaS Vendor Security Failures

1. Inadequate Security Measures

Failure to Implement Reasonable Security: The core of a CCPA Section 1798.150 claim is that the vendor failed to implement "reasonable security procedures and practices appropriate to the nature of the information." Evidence of inadequate security strengthens your demand.

Missing Encryption: Storing personal data unencrypted at rest or transmitting without TLS/SSL
Weak Authentication: Not requiring multi-factor authentication (MFA) for admin or user accounts
Unpatched Vulnerabilities: Running outdated software with known security flaws
Excessive Access: Employees or systems with unnecessary access to personal data
Missing Audit Logs: No logging of access to personal information
No Security Certifications: Lack of SOC 2, ISO 27001, or similar third-party security audits

2. Late or Inadequate Breach Notification

California requires notification "without unreasonable delay." Common violations include:

Delayed Discovery: Breach occurred weeks or months before detection due to inadequate monitoring
Delayed Notification: Weeks or months between discovery and notification to affected individuals
Incomplete Disclosure: Notification fails to identify all types of data compromised
Missing Required Elements: Notification lacks required content under Section 1798.82(d)
No AG Notification: Failed to notify Attorney General when 500+ California residents affected

Document the Timeline: Record when the breach allegedly occurred, when the vendor discovered it, and when you were notified. Significant delays support claims of unreasonable conduct and potential willfulness.

3. Inadequate Response to Breach

Insufficient Credit Monitoring: Offering only 12 months of single-bureau monitoring when SSN or financial data was exposed
No Identity Theft Protection: Failing to offer identity theft insurance or restoration services
Minimizing Severity: Downplaying the breach's scope or potential impact
Blame Shifting: Attributing breach to "sophisticated hackers" without acknowledging security failures
Refusal to Answer Questions: Not providing clear information about what data was exposed

4. Third-Party and Subprocessor Failures

SaaS vendors are responsible for security of data processed by their subcontractors:

Unvetted Third Parties: Sharing data with subprocessors without adequate security review
API Vulnerabilities: Insecure integrations with third-party services
Cloud Misconfigurations: Improperly configured AWS S3 buckets, Azure storage, or similar cloud resources
Contractor Access: Giving development contractors excessive access without monitoring

5. Contractual Violations

Review your SaaS agreement, Terms of Service, and Privacy Policy for security commitments:

Common Commitments	How They're Violated
"Industry-standard security measures"	Breach occurred due to basic security failures
"Data encrypted in transit and at rest"	Unencrypted data was exposed in breach
"Regular security audits"	No evidence of SOC 2 or similar audits
"Prompt breach notification"	Weeks or months of delay before notification
"Limited data retention"	Breach exposed data that should have been deleted

Related Resources

Your Rights After a SaaS Data Breach

What You Can Demand

Right/Remedy	Legal Basis	What to Request
Statutory Damages	CCPA Section 1798.150	$100-$750 per consumer per incident for security failures
Actual Damages	CCPA, Negligence, Breach of Contract	All documented out-of-pocket expenses and losses
Credit Monitoring	Common practice, sometimes contractual	24 months of three-bureau monitoring with identity theft insurance
Identity Restoration	Mitigation of damages	Full identity theft restoration services if needed
Full Breach Details	Section 1798.82(d) requirements	Complete information about what data was exposed
Service Credits/Refund	Breach of contract	Refund of subscription fees during compromised period

Documenting Your Damages

To maximize recovery, document all harm immediately:

Time Spent: Keep a log of hours dealing with the breach (freezing credit, disputing charges, monitoring accounts). Value at reasonable hourly rate ($25-$75/hour)
Out-of-Pocket Costs: Credit monitoring you purchased, credit freeze fees, notary fees, certified mail, phone calls, travel
Fraudulent Charges: Document all unauthorized charges, even if reimbursed by your bank
Lost Income: If you missed work dealing with breach consequences, document lost wages
Emotional Distress: Keep records of stress, anxiety, sleep issues. Therapy records provide strong documentation
Increased Risk: SSN exposure creates permanent vulnerability - basis for long-term monitoring demand

Key Evidence to Preserve: Save the vendor's breach notification letter/email, all communications with the vendor, screenshots of any error messages or suspicious activity, credit reports showing inquiries or new accounts, bank statements showing fraudulent charges, and any news articles about the breach.

Credit Monitoring Standards

If SSN, financial data, or login credentials were exposed, demand comprehensive protection:

Duration: Minimum 24 months (not the standard 12 months vendors often offer)
Coverage: All three credit bureaus (Experian, Equifax, TransUnion), not just one
Identity Theft Insurance: Minimum $1 million policy covering costs of identity theft resolution
Dark Web Monitoring: Scanning for your information on criminal marketplaces
Restoration Services: Professional assistance if identity theft occurs

When CCPA Section 1798.150 Applies

CCPA Private Right of Action Requirements:

You must be a California resident
The business failed to implement reasonable security
The failure resulted in breach of nonencrypted/nonredacted personal information
Personal information as defined in Section 1798.81.5 was exposed
You must provide 30 days' written notice before filing suit

Statute of Limitations

Claim Type	Time Limit	Notes
CCPA Section 1798.150	Not explicitly stated (likely 3-4 years)	Courts may apply general contract or fraud statutes
Negligence	2 years from discovery	CCP Section 335.1
Breach of Contract (Written)	4 years	CCP Section 337
Breach of Implied Contract	2 years	CCP Section 339

Act Promptly: Even if full statute of limitations remains, evidence fades and vendors may destroy records. Send your demand letter within 30-60 days of learning about the breach. Document everything immediately.

SaaS Data Breach Demand Letter Generator

How This Generator Works: Fill in the details about the SaaS vendor, the breach, your damages, and what you're demanding. The generator will create a professional demand letter with proper California legal citations. For CCPA claims, this serves as your mandatory 30-day pre-suit notice.

Your Demand Letter

Important Next Steps: After generating your letter, send it via certified mail with return receipt requested. Keep copies of everything. Mark your calendar for the response deadline. If pursuing CCPA claims, the 30-day notice period is mandatory before filing suit.

Sample SaaS Data Breach Demand Letters

Sample 1: CCPA Section 1798.150 Pre-Suit Notice

[Your Name] [Your Address] [City, CA ZIP] [Email] | [Phone] [Date] VIA CERTIFIED MAIL - RETURN RECEIPT REQUESTED [SaaS Company Name] Legal Department [Address] [City, State ZIP] Re: NOTICE OF VIOLATION OF CALIFORNIA CIVIL CODE SECTION 1798.150 30-Day Cure Period Under CCPA Data Breach Affecting [Your Name] Dear [Company]: This letter constitutes formal notice under California Civil Code Section 1798.150(b) that you have violated the California Consumer Privacy Act of 2018 (CCPA). FACTS: On or about [Date], your company suffered a data breach that resulted in the unauthorized access and acquisition of my personal information. You notified me of this breach on [Date], approximately [X] days/weeks after the breach occurred. According to your notification, the following categories of my personal information were compromised: - [Social Security number] - [Financial account information] - [Driver's license number] - [Login credentials] - [Other data types] VIOLATIONS: You violated California Civil Code Section 1798.150(a)(1) by failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information to protect that information from unauthorized access, destruction, use, modification, or disclosure. Evidence of your inadequate security practices includes: 1. [Describe known security failures - e.g., "The breach resulted from unencrypted database storage of personal information"] 2. [E.g., "Your company failed to implement multi-factor authentication"] 3. [E.g., "Delayed detection suggests inadequate security monitoring"] As a result of your failure to implement reasonable security, my nonencrypted and nonredacted personal information, as defined in California Civil Code Section 1798.81.5, was subject to unauthorized access and exfiltration. DAMAGES: Under Section 1798.150(a)(1)(A), I am entitled to recover statutory damages of not less than one hundred dollars ($100) and not greater than seven hundred and fifty dollars ($750) per consumer per incident, OR actual damages, whichever is greater. My actual damages include: 1. Out-of-Pocket Expenses: - Credit monitoring services: $[amount] - Credit freeze fees: $[amount] - Time and correspondence: $[amount] TOTAL: $[amount] 2. Time Spent Addressing Breach: - [X] hours at $[rate]/hour: $[amount] 3. Increased Risk: - My [Social Security number/financial information] is permanently compromised - I face years of heightened vulnerability to identity theft 4. Emotional Distress: - Significant anxiety and stress regarding financial security TOTAL DAMAGES CLAIMED: $[amount] (or statutory minimum of $750, whichever is greater) 30-DAY CURE PERIOD: Pursuant to California Civil Code Section 1798.150(b), you have thirty (30) days from receipt of this notice to cure the alleged violation of Section 1798.150. An adequate cure must include: 1. Reimbursement of all out-of-pocket expenses: $[amount] 2. Compensation for time spent: $[amount] 3. 24 months of comprehensive credit monitoring from all three bureaus (Experian, Equifax, TransUnion) 4. Identity theft insurance policy of at least $1,000,000 5. Identity restoration services if needed 6. Written confirmation of enhanced security measures implemented If you do not cure the violation within 30 days, I will pursue all available legal remedies, including but not limited to: - Filing a lawsuit seeking statutory damages of $750 per incident - Actual damages in excess of statutory amounts - Injunctive relief - Attorney fees and costs I also reserve the right to participate in any class action filed against your company regarding this breach and to file complaints with the California Attorney General and Federal Trade Commission. This letter constitutes formal notice under CCPA Section 1798.150(b). The 30-day cure period begins upon your receipt of this letter. Sincerely, _______________________ [Your Signature] [Your Printed Name] Enclosures: - Your breach notification letter dated [Date] - Documentation of expenses incurred - Time log

Sample 2: Comprehensive Demand (Negligence + Contract + CCPA)

[Your Name] [Your Address] [City, CA ZIP] [Email] | [Phone] [Date] VIA CERTIFIED MAIL - RETURN RECEIPT REQUESTED [SaaS Company Name] Attn: Legal Department / Data Privacy Officer [Address] [City, State ZIP] Re: DEMAND FOR COMPENSATION - DATA BREACH Account: [Your Account Number/Email] Breach Notification Date: [Date] Dear [Company]: I am writing to demand compensation for the data breach you disclosed on [Date], which compromised my personal information due to your inadequate security practices and failure to protect customer data as required by California law and your own contractual commitments. BACKGROUND: I have been a customer of [Company Name] since [Date], using your [product/service name] for [purpose]. On [Notification Date], I received notice that my account data had been compromised in a security breach affecting [number if known] customers. According to your notification and public reports, the breach resulted from [describe known cause - e.g., "a misconfigured cloud database," "an unpatched vulnerability," "a phishing attack on employee credentials," etc.]. COMPROMISED DATA: Your notification indicates the following personal information was exposed: - Name and email address - [Social Security number] - [Financial account/credit card information] - [Driver's license number] - [Login credentials] - [Other exposed data] LEGAL VIOLATIONS: Your conduct violated multiple California laws: 1. CCPA Section 1798.150 - Security Failure You failed to implement and maintain reasonable security procedures appropriate to the nature of the personal information you collected. This failure directly resulted in the unauthorized access to my nonencrypted personal information. 2. California Civil Code Sections 1798.82/1798.29 - Notification Violations [If applicable: Your notification was delayed by [X] weeks/months after the breach was discovered, violating the requirement to notify "without unreasonable delay."] [If applicable: Your notification failed to include required content under Section 1798.82(d), specifically [missing elements].] 3. Negligence You owed a duty of care to implement reasonable security measures to protect my personal information. You breached this duty by [specific failures]. This breach proximately caused my damages. 4. Breach of Contract Your [Terms of Service/Privacy Policy] promised [quote relevant security commitments - e.g., "industry-standard security measures," "encryption of personal data," etc.]. You breached these commitments. 5. Breach of Implied Contract By accepting my personal information, you impliedly agreed to protect it using reasonable security measures. MY DAMAGES: As a direct result of your breach, I have suffered the following damages: 1. Out-of-Pocket Expenses: - Credit monitoring service (self-purchased): $[amount] - Credit freeze fees: $[amount] - Time and postage: $[amount] - [Other expenses]: $[amount] SUBTOTAL: $[amount] 2. Time Spent: - [X] hours monitoring accounts, freezing credit, disputing charges, corresponding with you - Valued at $[rate]/hour: $[amount] 3. Fraudulent Activity (if applicable): - [Describe any unauthorized charges, accounts opened, etc.] - Amount: $[amount] 4. Emotional Distress: - Significant anxiety about identity theft - Disruption of daily life monitoring accounts - Ongoing stress regarding permanent exposure of SSN 5. Increased Future Risk: - My Social Security number is now permanently compromised - Requires lifetime vigilance and monitoring TOTAL DOCUMENTED DAMAGES: $[amount] CCPA STATUTORY DAMAGES (if actual lower): $750 DEMAND: I demand the following within thirty (30) days of your receipt of this letter: 1. Monetary Compensation: - Reimbursement of out-of-pocket expenses: $[amount] - Compensation for time spent at $[rate]/hour: $[amount] - Additional compensation for distress and risk: $[amount] - OR CCPA statutory damages of $750 (whichever is greater) 2. Credit Protection: - 24 months of comprehensive credit monitoring from ALL three bureaus - Identity theft insurance of at least $1,000,000 - Full identity restoration services if needed 3. Service Credits: - Refund of subscription fees for period during which data was compromised: $[amount] 4. Information: - Complete disclosure of all categories of my data that were accessed - Confirmation of enhanced security measures implemented CONSEQUENCES OF NON-COMPLIANCE: If you fail to provide adequate resolution within 30 days, I will: 1. File a lawsuit in California Superior Court seeking statutory damages, actual damages, punitive damages for willful conduct, and attorney fees 2. Participate in or initiate class action litigation 3. File complaints with: - California Attorney General, Privacy Enforcement Section - Federal Trade Commission - [Relevant industry regulators] This letter constitutes the 30-day notice required under CCPA Section 1798.150(b). All rights and remedies are expressly reserved. I am willing to discuss reasonable resolution. Please contact me at [Email/Phone]. Sincerely, _______________________ [Your Signature] [Your Printed Name] Enclosures: - Your breach notification - Documentation of damages - Time log - Screenshots of account activity - [Other supporting documents]

Sample 3: Follow-Up After Inadequate Response

[Your Name] [Your Address] [City, CA ZIP] [Date] VIA CERTIFIED MAIL - RETURN RECEIPT REQUESTED [SaaS Company Name] Legal Department [Address] Re: FOLLOW-UP DEMAND - INADEQUATE RESPONSE TO DATA BREACH CLAIM Original Demand Letter: [Date] Your Response: [Date] Dear [Company]: This letter responds to your [Date] communication regarding my demand letter of [Original Date] concerning the data breach affecting my personal information. INADEQUATE RESPONSE: Your response is inadequate for the following reasons: 1. Credit Monitoring Offer Insufficient: You offered 12 months of single-bureau monitoring. Given that my [Social Security number/financial information] was exposed, this is woefully inadequate. I demanded, and continue to demand, 24 months of three-bureau monitoring with identity theft insurance. 2. No Compensation for Damages: You failed to address my documented out-of-pocket expenses of $[amount] and time spent ([X] hours) addressing this breach. These are direct, provable damages caused by your security failure. 3. Failure to Address Security Violations: You have not acknowledged the security failures that led to this breach or confirmed what measures have been implemented to prevent recurrence. 4. [Other inadequate aspects of response] 30-DAY CURE PERIOD STATUS: My original letter dated [Date] constituted notice under CCPA Section 1798.150(b). The 30-day cure period [has expired / expires on [Date]]. [If expired:] As you have failed to cure the violations within 30 days, I am now entitled to pursue litigation for statutory damages of up to $750 per incident plus actual damages and attorney fees. [If not expired:] You have until [Date] to provide an adequate cure as specified in my original demand. FINAL DEMAND: I will accept resolution of this matter if you provide the following within [10/14] days: 1. 24 months of three-bureau credit monitoring with $1M identity theft insurance 2. Reimbursement of documented expenses: $[amount] 3. Compensation for time at $[rate]/hour ([X] hours): $[amount] 4. [Additional demands] TOTAL: $[amount] plus credit monitoring/insurance LITIGATION NOTICE: If I do not receive acceptable resolution by [Deadline Date], I will immediately: 1. File a complaint in California [Small Claims Court if under $12,500 / Superior Court] seeking statutory damages, actual damages, and all available remedies 2. Retain counsel to pursue class action participation or individual litigation for attorney fees 3. Report your inadequate response to the California Attorney General This is my final demand. There will be no further extensions. Sincerely, _______________________ [Your Signature] [Your Printed Name] cc: California Attorney General [optional]

Related Resources

Attorney Services

Need Help With Your SaaS Data Breach Claim?

I help California consumers and businesses pursue compensation for data breaches caused by SaaS vendor security failures. From demand letter drafting to litigation, I can help you recover damages and hold negligent vendors accountable.

How I Can Help

CCPA Pre-Suit Notices: I draft comprehensive 30-day notices that satisfy statutory requirements and maximize leverage for settlement
Damage Documentation: I help you identify and document all recoverable damages, including time, expenses, and emotional distress
Vendor Negotiations: I negotiate directly with SaaS vendors and their legal teams to obtain fair compensation
Litigation: I file and prosecute CCPA, negligence, and contract claims in California courts
Class Action Evaluation: I assess whether your case is appropriate for class action or individual litigation
Business Claims: If your business was affected by a vendor breach, I help pursue B2B claims for contract breach and negligence

Types of Cases I Handle

SaaS platform data breaches affecting consumer personal information
Cloud service provider security failures
Delayed or inadequate breach notification
Identity theft resulting from vendor negligence
Business data breaches through third-party SaaS tools
CCPA Section 1798.150 security failure claims
Breach of contract claims based on security commitments
Negligence claims for failure to implement reasonable security

When to Consult an Attorney

Consider consulting an attorney if:

Your Social Security number or financial account information was exposed
You have experienced actual identity theft or fraud
Your damages exceed $5,000
The vendor's response to your demand was inadequate
You want to maximize recovery under CCPA
You believe the breach affected many consumers (potential class action)
The vendor is disputing liability or offering minimal compensation

Schedule a Consultation

Book a call to discuss your SaaS data breach case. I will review your situation, explain your legal options, and recommend the best strategy for pursuing compensation.

Contact Information

Email: owner@terms.law

Frequently Asked Questions

California Civil Code Section 1798.150 provides consumers with a private right of action when a business fails to implement reasonable security procedures, and that failure results in unauthorized access to unencrypted personal information. Consumers can recover statutory damages of $100-$750 per incident OR actual damages, whichever is greater. However, you must send the business a 30-day written notice before filing suit, giving them an opportunity to cure the violation.

CCPA applies to businesses that collect California residents' personal information, regardless of where the business is located, if they meet certain thresholds (generally $25 million revenue, or data on 50,000+ consumers, or 50%+ revenue from selling personal information). California's long-arm jurisdiction typically applies to out-of-state SaaS vendors serving California customers. You can also bring claims based on negligence and breach of contract under California law if the vendor's Terms of Service don't specify another governing law, or potentially in your local California court.

Recovery depends on several factors. Under CCPA Section 1798.150, statutory damages range from $100-$750 per consumer per incident. If your actual damages exceed this (out-of-pocket costs, time spent, fraud losses, identity theft expenses), you can recover actual damages instead. Many cases settle for credit monitoring (retail value $300-$500/year) plus cash compensation. Significant individual cases with documented identity theft can settle for $5,000-$25,000+. Class action settlements typically provide $50-$200 per class member plus credit monitoring.

California hasn't defined "reasonable security" precisely, but the Attorney General has referenced the Center for Internet Security's Critical Security Controls as a baseline. Generally, reasonable security includes: encryption of personal data at rest and in transit, multi-factor authentication, regular security audits and penetration testing, employee security training, access controls limiting data access to those who need it, security monitoring and logging, timely patching of known vulnerabilities, and incident response planning. Failure in any of these areas can support a claim of unreasonable security.

It depends on your damages. If you suffered significant individual harm (actual identity theft, substantial fraud, documented losses over $5,000-$10,000), individual claims may yield better recovery. Class actions typically result in modest per-person payments ($50-$200) but are appropriate when individual damages are small. You can often file an individual demand while preserving class action rights. If a class action is already filed, you may need to opt out to pursue individual claims. An attorney can help evaluate which approach maximizes your recovery.

This is the "standing" challenge in many breach cases. Courts increasingly recognize that exposure of sensitive data like SSNs creates actionable harm even without actual identity theft. Document all concrete harms: time spent monitoring accounts, cost of credit freezes, anxiety requiring medical attention, any suspicious activity. The value of credit monitoring you should receive is itself a form of damage. CCPA statutory damages don't require proof of actual identity theft - the security failure and exposure are sufficient. However, cases with documented actual fraud or identity theft are stronger.

Statutes of limitations vary by claim type: CCPA claims likely have a 3-4 year limitation (courts haven't definitively ruled). Negligence claims have a 2-year limitation from when you discovered or should have discovered the harm. Breach of written contract claims have a 4-year limitation. Regardless of legal deadlines, act promptly - evidence fades, vendors may destroy records, and delays can undermine your case. Send a demand letter within 30-60 days of learning about the breach.