What to Do After a Cyberattack in California (2026)

If your business has been hacked, the first few hours are critical. The actions you take immediately after discovering a cyber incident influence how far attackers spread, how much data is lost, how quickly operations recover, and whether legal notification requirements under California law apply.

This guide explains what to do after a cyberattack in California, including immediate containment steps, reporting options, recovery planning, and California’s data breach notification expectations for organizations.

What to Do After a Cyberattack in California

Whether your organization is facing ransomware, unauthorized access, business email compromise, or suspected data theft, knowing what to do after a cyberattack in California can reduce downtime, protect sensitive information, and limit regulatory exposure.

Follow the structured steps below to regain control quickly and responsibly.

Step 1: Confirm the Incident and Start an Incident Log Immediately

Cyberattacks commonly appear through:

• Ransomware notes, encrypted files, or locked systems
• Unauthorized password resets or suspicious login alerts
• Unexpected multi-factor authentication prompts
• Fraudulent invoices or payment change requests
• Disabled security tools or new administrator accounts
• Unusual outbound network activity

Begin documenting right away:

• Time of discovery
• Systems and users impacted
• Screenshots of alerts or ransom notes
• Employee reports of suspicious activity
• All response actions taken

Accurate documentation supports investigations, cyber insurance claims, and compliance obligations under California’s data breach notification statute (Cal. Civ. Code § 1798.29 and § 1798.82) and the California Consumer Privacy Act (CCPA/CPRA).

Step 2: Contain the Threat While Preserving Evidence

When people search what to do after a cyberattack in California, many rush to shut everything down. Containment is essential, but preserving evidence is equally important.

Recommended actions:

• Disconnect compromised machines from the network
• Disable affected user and administrator accounts
• Block malicious IP addresses and domains
• Preserve logs, suspicious emails, and ransom notes

The ransomware response guidance from the Cybersecurity and Infrastructure Security Agency (CISA) emphasizes isolating systems while keeping forensic artifacts for investigation and recovery.

Avoid wiping systems until the full scope of compromise is confirmed.

Step 3: Secure Backups Before Attackers Reach Them

Many ransomware groups attempt to encrypt or delete backups to prevent recovery.

Immediately:

• Verify backups are isolated or offline
• Pause backup jobs if compromise is suspected
• Rotate backup administrator credentials
• Confirm clean restore points exist

If your organization carries cyber insurance, notify the provider promptly. PivIT Strategy’s Advanced Cybersecurity Services team can help assess backup integrity and ensure recovery options remain protected.

Step 4: Lock Down Email, Identity, and Financial Systems

Email compromise remains one of the most common entry points for cyber incidents.

Email security priorities

• Reset global and delegated administrator accounts
• Enforce multi-factor authentication across all users
• Review forwarding rules and third-party app access
• Remove suspicious sessions and devices

Identity and endpoint protection

• Force password resets organization wide
• Confirm endpoint security tools are active
• Patch exposed systems and remote access services

Financial controls

• Freeze payment instruction changes temporarily
• Verify vendor requests by phone
• Review recent wire and ACH activity

These steps help prevent secondary financial losses, which are especially common following business email compromise incidents.

Step 5: Report the Incident and Seek Professional Support

Reporting supports investigations and may help recover stolen funds.

Federal reporting

The FBI encourages cybercrime victims to submit reports through IC3 and advises against paying ransomware demands because payment does not guarantee recovery and often leads to repeat attacks.

California Privacy Protection Agency (CPPA)

The CPPA enforces the CCPA/CPRA and may be relevant if the breach involves personal data subject to those statutes. For breaches triggering notification obligations, the California Attorney General’s Office also plays a key role.

Ransomware guidance

CISA’s StopRansomware resources provide structured containment and recovery checklists for organizations of all sizes.

At this stage, many California organizations engage PivIT Strategy’s Managed IT Services team to manage response, investigation, and restoration.

Step 6: Understand California Data Breach Notification Requirements

One of the main reasons businesses search what to do after a cyberattack in California is concern about compliance. California was the first state in the nation to enact a data breach notification law in 2002, and its requirements are among the most comprehensive in the country. A major update — Senate Bill 446 (SB 446) — took effect January 1, 2026, introducing firm deadlines for the first time.

Key obligations:

• 30-day notification deadline (new in 2026) — As of January 1, 2026, any person or business that conducts business in California must notify affected individuals within 30 calendar days of discovering or being informed of a breach. Previously, the standard was “without unreasonable delay” with no set timeframe. Limited exceptions exist for law enforcement needs or time required to determine the scope of the breach and restore system integrity.
• 15-day AG notification deadline (new in 2026) — When a breach affects more than 500 California residents, a sample copy of the consumer notice must be submitted to the California Attorney General within 15 calendar days of notifying affected individuals.
• CCPA/CPRA exposure — Beyond the breach notification statute, California businesses subject to the CCPA/CPRA may face additional obligations and civil liability if the breach involves personal information that was not protected by reasonable security measures. The CPRA created a limited private right of action for individuals whose non-encrypted or non-redacted personal information is exposed due to inadequate security.
• Broad definition of personal information — California’s definition covers Social Security numbers, driver’s license numbers, financial account numbers, medical and health insurance information, biometric data, government-issued ID numbers, unique electronic identifiers, and login credentials.
• No harm threshold — Unlike some states, California does not limit notification to breaches that are likely to cause harm. Any breach of unencrypted personal information triggers notification obligations.

Enforcement and penalties

• The California Attorney General may seek civil penalties of $100 to $750 per consumer per incident, or actual damages (whichever is greater), for CCPA/CPRA violations involving inadequate security.
• The CPPA enforces broader privacy violations with penalties up to $2,500 per unintentional violation and $7,500 per intentional violation.
• Businesses have 30 days to cure violations before CPPA enforcement, though cure opportunities may be limited.

Organizations should:

• Notify affected individuals within 30 days of discovering the breach
• Submit a sample notice to the California AG within 15 days of notifying individuals (for breaches of 500+)
• Assess potential CCPA/CPRA exposure if the breach involved inadequate security
• Document the investigation timeline carefully

For more on your ongoing compliance obligations, see our guide to California Cybersecurity Laws You Should Know (2026).

Step 7: Communicate Clearly and Carefully

Poor communication often increases reputational and financial damage, and in California, it can directly increase regulatory and civil exposure.

Internal communication

• Share verified information only
• Provide official password reset instructions
• Warn employees about attacker outreach attempts
• Centralize incident communications

External communication

• Use alternate channels if email is compromised
• Alert vendors of possible fraud risk
• Coordinate customer communications with legal guidance

California’s breach notification statute specifies required content for consumer notices, including a description of what happened, the types of information involved, steps the organization is taking, and contact information. Substitute notice via email, website, and statewide media is permitted for very large-scale breaches.

Step 8: Recover Systems and Strengthen Defenses

Recovery is not just restoring files. It involves removing the attacker and closing the security gaps that allowed them in.

Typical recovery efforts include:

• Forensic timeline analysis
• Rebuilding compromised systems
• Organization-wide credential resets
• Multi-factor authentication implementation
• Network segmentation improvements
• Backup isolation enhancements
• Advanced endpoint and email monitoring

Without hardening, businesses remain vulnerable to repeat attacks. California’s CCPA/CPRA imposes an ongoing duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information a business maintains — not just a post-breach obligation.

PivIT Strategy’s IT Consulting Services can help California organizations build a post-incident security roadmap. For executive-level IT leadership and long-term security strategy, our Fractional CIO Services provide ongoing guidance without the cost of a full-time hire.

How PivIT Strategy Helps California Businesses After a Cyberattack

When a California business contacts PivIT Strategy, the focus is fast containment, secure recovery, and long-term protection.

Support typically includes:

• Immediate threat isolation
• Email and identity security lock down
• Forensic investigation coordination
• Secure system restoration
• Compliance documentation assistance
• Ongoing cybersecurity improvements

Contact us to speak with our team.

Final Checklist: What to Do After a Cyberattack in California

• Start an incident log
• Isolate affected systems
• Disable compromised accounts
• Secure backups
• Lock down email and identity access
• Report to FBI IC3 for ransomware or fraud
• Notify affected individuals within 30 days of discovering the breach
• Submit a sample notice to the California AG within 15 days of notifying individuals (for 500+ residents)
• Assess potential CCPA/CPRA exposure
• Recover systems and strengthen security

Frequently Asked Questions: What to Do After a Cyberattack in California

How quickly should a business respond? Immediately. The first few hours determine how much damage spreads and whether backups remain usable.

What is California’s new notification deadline as of 2026? SB 446, effective January 1, 2026, requires notification to affected individuals within 30 calendar days of discovering a breach. The California AG must receive a sample notice within 15 days of notifying individuals when 500 or more residents are affected.

Does California require notification for every breach? Yes. Unlike many states, California does not have a harm threshold. Any breach of unencrypted personal information triggers notification obligations.

What is the CCPA’s role in a cyberattack response? If the breach involved personal information that was not protected by reasonable security, affected individuals may have a private right of action under the CCPA/CPRA. Businesses should assess this exposure and consult legal counsel promptly.

Should a ransom be paid? Law enforcement discourages paying ransoms because recovery is not guaranteed and attackers often target paying victims again.

Who should be contacted first?

• Internal IT or managed service provider
• Cyber insurance provider
• FBI IC3 for ransomware or fraud
• Legal or compliance advisors
• California AG (within 15 days of individual notice for 500+ residents)

What mistakes make breaches worse?

• Missing the new 30-day individual notification deadline
• Missing the 15-day AG notice window
• Failing to assess CCPA/CPRA exposure
• Wiping systems before forensic review

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.