Blog · June 19, 2026 · 18-minute read
Cybersecurity attorney fee petition mechanics: California AG Data Breach Report Registry as primary Welch anchor, CCPA § 1798.150(a) mandatory statutory damages advisory on the state regulatory notification calendar, CCPA class cert and Cal. Penal Code § 502(e)(2) CDAFA Ketchum mandatory fee advisory on the FRCP 16(b) scheduling order, and § 1798.150(a) mandatory statutory damages fee petition advisory on the post-judgment calendar
Cybersecurity data breach practice — spanning CCPA Cal. Civ. Code § 1798.150(a) mandatory statutory damages class actions, Cal. Penal Code § 502(e)(2) CDAFA concurrent mandatory attorney fee claims, and California AG enforcement coordination — concentrates three categories of externally-scheduled advisory work where the primary billing anchor appears in the California AG Data Breach Report Registry at oag.ca.gov before any PACER entry exists, before any class action complaint is filed, and before any court has jurisdiction over the dispute. The California AG Data Breach Report Registry is the only primary Welch anchor in the fee-petition-mechanics series where the anchor date is established in a state regulatory database as a mandatory compliance obligation that runs on the breach timeline rather than on any adversarial proceeding: Cal. Civ. Code § 1798.29(a) and § 1798.82(a) require notification to the California AG when 500 or more California residents are affected by a qualifying breach, creating a registry entry that correlates with the earliest breach notification advisory calls and precedes the CCPA class complaint filing by days to months. Cal. Penal Code § 502(e)(2) provides an independent California mandatory "shall award reasonable attorney's fees to a prevailing plaintiff" fee obligation — eligible for the Ketchum v. Moses, 24 Cal.4th 1122 (2001), positive multiplier — running concurrently with § 1798.150(a)'s statutory damages framework. City of Burlington v. Dague, 505 U.S. 557 (1992), prohibits the Ketchum multiplier for any companion federal fee-shifting component (CFAA, FCRA, ECPA). The three-anchor Welch v. Metropolitan Life Insurance Co., 480 F.3d 942 (9th Cir. 2007), temporal framework: California AG Data Breach Report Registry notification date (California state regulatory database, non-PACER — primary anchor; the only anchor in the series established before any litigation is contemplated) + FRCP 16(b) scheduling order class certification briefing deadline (CM/ECF PACER — secondary anchor) + CCPA § 1798.150(a) mandatory statutory damages and § 502(e)(2) CDAFA attorney fee award order date (PACER or California state court — tertiary anchor).
TL;DR
- Failure mode 1 — California AG Data Breach Report Registry breach notification advisory call cycle on the state regulatory notification calendar: 5.87 untracked hours = $1,760–$2,933/year (8 active cybersecurity clients with qualifying California AG breach notification obligations × 2 advisory calls × 40 min × 55% untracked at $300–$500/hr). Billing gap driven by the California AG Data Breach Report Registry calendar — § 1798.29 mandatory breach notification scope analysis and § 1798.150(a) statutory damage exposure advisory calls arrive when the client's incident response team confirms a qualifying breach affecting 500 or more California residents and the AG notification obligation attaches before any civil complaint is filed (California AG Data Breach Report Registry notification date: California state regulatory database, non-PACER, entirely outside PACER/CM/ECF and any court docketing system — primary anchor); HIPAA/CCPA breach notification coordination and HHS OCR Breach Portal advisory calls arrive when the breach involves protected health information requiring parallel HHS OCR notification within 60 days under 45 C.F.R. § 164.408(b) (HHS OCR Breach Reporting Tool: secondary non-PACER federal anchor in the HHS Office for Civil Rights database). Neither advisory event corresponds to any PACER entry; both are driven by regulatory compliance calendars that precede any civil complaint filing by days to months.
- Failure mode 2 — CCPA § 1798.150(a) class cert and Cal. Penal Code § 502(e)(2) CDAFA concurrent mandatory fee documentation advisory call cycle on the FRCP 16(b) scheduling order: 7.26 untracked hours = $2,178–$3,630/year (6 active CCPA class action clients with concurrent § 502(e)(2) CDAFA claims × 3 advisory calls × 44 min × 55% untracked). Billing gap driven by the FRCP 16(b) scheduling order posted to PACER — CCPA § 1798.150(a) class certification scope and TransUnion standing audit advisory calls arrive when the scheduling order sets the class certification briefing deadline and the class definition strategy must be finalized; § 502(e)(2) CDAFA mandatory "shall award" attorney fees documentation and Ketchum/Dague bifurcated lodestar advisory calls arrive when the class certification order is entered and the California § 502(e)(2) lodestar must be separated from any companion federal-claim lodestar; California AG enforcement investigation coordination advisory calls arrive when a parallel AG enforcement investigation requires civil litigation coordination before the class certification hearing.
- Failure mode 3 — CCPA § 1798.150(a) mandatory statutory damages and § 502(e)(2) concurrent mandatory attorney fee petition advisory call cycle on the post-judgment calendar: 4.03 untracked hours = $1,210–$2,017/year (5 active cybersecurity fee petition clients × 2 advisory calls × 44 min × 55% untracked). Billing gap driven by the post-judgment calendar — § 1798.150(a) mandatory statutory damages calculation and Hensley lodestar fee petition advisory calls arrive when the class action reaches final approval or a judgment is entered; § 502(e)(2) CDAFA concurrent mandatory attorney fee petition and Ketchum multiplier calculation advisory calls arrive when the bifurcated California/federal lodestar must be assembled with the Ketchum multiplier analysis for the California § 502(e)(2) component and the Dague no-multiplier rule applied to any companion federal-claim component.
Total: 17.16 untracked hours = $5,148–$8,580/year. The unique distinguisher in cybersecurity practice: the California AG Data Breach Report Registry is the only primary Welch anchor in the fee-petition-mechanics series where the anchor date is established in a state regulatory compliance database before any adversarial proceeding commences — before the class action complaint is drafted, before the plaintiff's attorney is retained, and before any cause of action is filed. Every other primary anchor in the series is triggered by or concurrent with the underlying dispute's commencement. The regulatory notification obligation under § 1798.29(a) attaches to the breach event itself, creating a billing period that begins in a California state regulatory database at a date that appears in no PACER record and that a billing expert consulting only PACER will never locate. The § 502(e)(2) CDAFA mandatory "shall award" attorney fee obligation — eligible for Ketchum positive multiplier for the California component and subject to Dague no-multiplier for any federal companion claim component — requires a bifurcated lodestar beginning from the CA AG registry notification date forward, making the registry date the most consequential non-PACER anchor in the series for lodestar period calculation.
The California AG Data Breach Report Registry breach notification advisory call cycle on the state regulatory notification calendar: 5.87 untracked hours = $1,760–$2,933/year
The California Attorney General's Data Breach Report Registry — the California AG's online database for mandatory data breach notifications under Cal. Civ. Code § 1798.29(a) and § 1798.82(a) — is the primary Welch temporal anchor for cybersecurity billing, and its position in the fee-petition-mechanics series is structurally unique: it is the only primary anchor in the series established in a state regulatory database as a mandatory compliance obligation rather than as a consequence of any adversarial proceeding. Cal. Civ. Code § 1798.29(a) requires any agency that owns or licenses computerized data including personal information to notify affected California residents of a qualifying security breach "in the most expedient time possible and without unreasonable delay." Section 1798.82(a) imposes the same obligation on private businesses. When a breach affects more than 500 California residents, § 1798.29(f) and § 1798.82(f) additionally require the business to electronically submit a copy of the breach notification to the California Attorney General — creating the Data Breach Report Registry entry that precedes the civil CCPA § 1798.150(a) class complaint filing by days to months. The AG registry entry date is the first verifiable billing anchor in cybersecurity practice and the earliest date from which the Hensley v. Eckerhart, 461 U.S. 424 (1983), lodestar runs for the concurrent Cal. Penal Code § 502(e)(2) CDAFA mandatory attorney fee petition.
The structural consequence for billing documentation is distinctive. In every other practice area in the fee-petition-mechanics series, the earliest billing advisory calls arrive when the adversarial proceeding commences — when the FBI opens a criminal investigation (RICO), when the government files removal proceedings (immigration removal defense), when the inter partes opposition is filed (trademark), when the accusation is served (professional license defense). In cybersecurity data breach practice, the earliest billing advisory calls arrive when the incident response team confirms the breach and the mandatory California AG notification obligation attaches — which is a regulatory compliance event tied to the breach itself, not to any dispute between adverse parties. The breach notification obligation runs on the breach timeline: § 1798.29(a) requires notification "in the most expedient time possible," and the California AG's enforcement posture under its published guidance treats 30 days as the upper limit before notification delay becomes itself a violation. A solo cybersecurity attorney retained by the breached entity within 24 to 72 hours of breach discovery must generate the first California AG registry advisory call before the affected consumers' class counsel are even aware that the breach occurred — and those advisory hours begin the § 502(e)(2) CDAFA mandatory fee-recoverable billing period under § 502(e)(2)'s "shall award" standard.
California AG Data Breach Report Registry advisory call types: (a) California AG § 1798.29 mandatory breach notification scope analysis and CCPA § 1798.150(a) statutory damage exposure advisory (38–45 min) — arrives when the client's incident response team confirms a qualifying breach and the attorney must analyze the AG notification obligation and the § 1798.150(a) statutory damages exposure before the AG notification is submitted. The advisory call covers: Cal. Civ. Code § 1798.81.5(d)(1)(A)–(E) personal information categories — classification of which categories of compromised data trigger mandatory notification (Social Security number; driver's license or state ID number; financial account number with security code; medical information as defined in Cal. Civ. Code § 56.05(j); username or email address with password or security question and answer); § 1798.150(a) per-consumer per-incident mandatory statutory damages exposure calculation — $100–$750 per California resident affected, multiplied by the number of California residents whose nonencrypted and nonredacted personal information was compromised, establishing the maximum aggregate statutory damages exposure before the class complaint is filed; Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), concrete injury analysis — whether the compromised data categories generate concrete, particularized harm (financial account data supports concrete harm; username/password combinations with no demonstrated downstream misuse may generate Spokeo-insufficient bare statutory violation standing for Article III purposes); TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), class standing audit — whether the affected consumers can be stratified at the notification stage into a concrete-harm subclass (demonstrated financial fraud, identity theft, or unauthorized account access) and a risk-of-harm-only subclass (informational exposure without demonstrated downstream misuse); and the 4th Estate analogy — the CA AG registry notification date functions similarly to a copyright registration date under 4th Estate Public Benefit Corp. v. Wall-Street.com LLC, 586 U.S. 296 (2019), as an anchor event that establishes the breach timeline prerequisite before any civil action for § 1798.150(a) statutory damages can proceed. (b) HIPAA/CCPA breach notification coordination and HHS OCR Breach Reporting Tool advisory (38–45 min) — arrives when the breach involves protected health information (PHI) as defined in 45 C.F.R. § 164.402, requiring parallel HHS OCR notification within 60 days of discovery under the HIPAA Breach Notification Rule, 45 C.F.R. § 164.408(b). The advisory call covers: HHS OCR Breach Reporting Tool — a federal non-PACER health data breach database maintained by the Department of Health and Human Services Office for Civil Rights (a secondary non-PACER Welch anchor in the HHS database, entirely outside PACER and the California AG registry, recording the HHS notification date independently of the AG notification date); Cal. Health & Safety Code § 1280.15 parallel California healthcare data breach notification requirement to the California Department of Public Health within 15 business days of breach discovery when patients are affected; Cal. Civ. Code § 56.36(b) Confidentiality of Medical Information Act civil damages of $1,000 per violation or actual damages (whichever is greater) for negligent medical information breaches, creating an independent CMIA civil cause of action running concurrently with CCPA § 1798.150(a); and OCR resolution agreement and corrective action plan advisory for healthcare entities whose breach triggers HHS OCR enforcement parallel to the California private CCPA class action.
Arithmetic: 8 active cybersecurity clients with qualifying California AG breach notification obligations requiring breach notification scope analysis and § 1798.150(a) statutory damage exposure advisory across the year × 2 advisory calls (1 CA AG § 1798.29 mandatory breach notification scope analysis and § 1798.150(a) statutory damage exposure advisory, 1 HIPAA/CCPA breach notification coordination and HHS OCR Breach Reporting Tool advisory) × 40 min average × 55% untracked = 5.87 untracked hours = $1,760–$2,933/year at $300–$500/hr.
The Welch temporal anchor for California AG Data Breach Report Registry advisory calls runs through the California AG's own regulatory database. The CA AG Data Breach Report Registry notification date — accessible at oag.ca.gov/ecrime/databreach/report and in the AG's internal enforcement tracking system — is the primary anchor. A billing record must show the California AG § 1798.29 mandatory breach notification scope analysis and § 1798.150(a) statutory damage exposure advisory entry of 38–45 minutes within 24 to 72 hours of the date the client first disclosed the breach and the AG notification obligation was established. A billing record where the earliest cybersecurity data breach advisory entry is the CCPA class complaint filing date in PACER — with no entry near the CA AG registry notification date — is missing the primary anchor advisory calls, which may predate the CCPA class complaint filing by 30 to 90 days in matters where the AG notification obligation was met before class action plaintiff's counsel were even retained. Under § 502(e)(2)'s mandatory "shall award" standard, every advisory hour from the CA AG registry notification date through the CDAFA claim's resolution is recoverable — and advisory hours logged only from the PACER complaint filing date forward forgo the entire pre-complaint breach notification advisory fee recovery that § 502(e)(2)'s "shall award" mandate requires.
The CCPA § 1798.150(a) class certification and Cal. Penal Code § 502(e)(2) CDAFA concurrent mandatory fee documentation advisory call cycle on the FRCP 16(b) scheduling order: 7.26 untracked hours = $2,178–$3,630/year
Once the CCPA § 1798.150(a) class complaint is filed and the district court enters the FRCP 16(b) scheduling order, the class certification briefing cycle generates advisory calls that arrive on the court's scheduling calendar rather than on any deadline the attorney controls. CCPA § 1798.150(a) class certification has a structural feature that distinguishes it from most other statutory class actions: the "per consumer per incident" statutory damages formula — $100–$750 per California resident per breach incident — means that Rule 23(b)(3) predominance analysis is simplified by the uniform per-person statutory damages floor (individual proof of actual damages is not required for each class member, making the damages model classwide by statutory design under Comcast Corp. v. Behrend, 569 U.S. 27 (2013)) while the aggregate exposure calculation generates class certification advisory calls throughout the briefing cycle as the class size is refined through discovery. Concurrent California Penal Code § 502(e)(2) CDAFA — providing a mandatory "shall award reasonable attorney's fees to a prevailing plaintiff" — runs a parallel mandatory fee documentation advisory track at every class certification milestone: the § 502(e)(2) CDAFA elements (Cal. Penal Code § 502(c)(1)–(7) prohibited access categories) must be developed in parallel with the § 1798.150(a) class certification elements, and the § 502(e)(2) mandatory fee documentation must be maintained from the CA AG registry notification date forward through the class certification order to support the eventual Ketchum-eligible mandatory attorney fee petition.
CCPA class certification and § 502(e)(2) CDAFA concurrent mandatory fee documentation advisory call types: (a) CCPA § 1798.150(a) class certification scope, TransUnion standing audit, and class definition advisory (42–50 min) — arrives when the FRCP 16(b) scheduling order sets the class certification briefing deadline and the class definition must be finalized. The advisory call covers: CCPA Cal. Civ. Code § 1798.150(a) private right of action elements — nonencrypted and nonredacted personal information as defined in § 1798.81.5(d)(1)(A)–(E) must have been subject to unauthorized access and exfiltration, disclosure, or unauthorized use as a result of the business's failure to implement and maintain reasonable security procedures and practices; Rule 23(a) numerosity, commonality, typicality, and adequacy analysis for CCPA data breach class actions (numerosity almost always satisfied given that § 1798.82(f) notification only triggers for 500+ California resident breaches; commonality and typicality driven by the common breach event); Rule 23(b)(3) predominance analysis — § 1798.150(a) uniform statutory damages ($100–$750 per consumer) constitute a classwide damages formula satisfying Comcast Corp. v. Behrend, 569 U.S. 27 (2013), because the statutory damages "cap-and-floor" structure is itself the damages model, not a proxy for actual harm; TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), class standing strategy — whether to define a narrower concrete-harm class for federal court filing (stronger Article III standing, smaller class size, lower aggregate statutory damages exposure) or a broader risk-of-harm class for California state court filing under Cal. Code Civ. Proc. § 382 (avoids Article III TransUnion standing constraint, larger class size, higher aggregate § 1798.150(a) statutory damages exposure); and § 1798.150(b) 30-day cure-and-notice provision pre-suit demand letter analysis — whether the pre-complaint demand letter to the breached business and the 30-day cure window have elapsed (the § 1798.150(b) pre-suit demand is a statutory prerequisite to any § 1798.150(a) private right of action for statutory damages). (b) Cal. Penal Code § 502(e)(2) CDAFA mandatory "shall award" attorney fees documentation and Ketchum/Dague bifurcated lodestar advisory (42–50 min) — arrives when the FRCP 16(b) scheduling order sets the expert disclosure deadline and the § 502(e)(2) CDAFA concurrent claim requires expert support and the bifurcated lodestar record must be assembled. The advisory call covers: Cal. Penal Code § 502(c)(1)–(7) CDAFA prohibited access categories — which of the seven prohibited computer access acts the breach incident satisfies: (c)(1) knowingly access and without permission use data, computer, computer system, or computer network; (c)(2) knowingly access and without permission take, copy, or make use of any data; (c)(6) knowingly and without permission provide or assist providing means of accessing a computer or data for unauthorized access; and (c)(7) knowingly and without permission access or cause to be accessed any computer, computer system, or computer network — matching the breach incident's technical facts to the § 502(c) elements is the advisory call that generates the billing entries supporting the concurrent § 502(e)(2) mandatory "shall award" attorney fees claim; Ketchum v. Moses, 24 Cal.4th 1122 (2001), positive multiplier eligibility analysis for the § 502(e)(2) California mandatory fee component — analyzing contingency risk (TransUnion standing challenge risk, § 1798.150(b) cure-period compliance risk, § 502(c) elements proof risk on the specific breach facts), novelty of CCPA § 1798.150(a) class action law (post-2020 effective date, still developing as applied to large-scale data breaches), preclusion of other employment, and results obtained in light of the aggregate class size and per-consumer statutory damages; City of Burlington v. Dague, 505 U.S. 557 (1992), no-multiplier rule for any companion federal fee-shifting component (CFAA 18 U.S.C. § 1030(g)(1) civil damages, FCRA 15 U.S.C. § 1681o attorney fees if the breach involved consumer credit data, or ECPA civil damages under 18 U.S.C. § 2520) — requiring the Hensley v. Eckerhart task-level segregation of § 502(e)(2) California hours from any CFAA/FCRA/ECPA companion federal-claim hours; and hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), CFAA and § 502 computer access analysis — whether the breach constitutes both a CFAA § 1030(a)(2)(C) unauthorized access violation and a § 502(c) CDAFA violation, creating the companion federal/California split for the bifurcated lodestar. (c) California AG enforcement investigation coordination and parallel civil litigation advisory (42–50 min) — arrives when the scheduling order approaches class certification and the California AG's parallel enforcement investigation (under CCPA Cal. Civ. Code § 1798.199.90, granting the AG civil penalty authority of $2,500 per violation and $7,500 per intentional violation) requires civil litigation coordination. The advisory call covers: California AG CCPA enforcement action coordination — whether the AG's investigation of the same breach event creates a parallel enforcement proceeding that may affect class litigation strategy (civil litigation stay considerations; CCPA § 1798.150(c) limitation on private § 1798.150(a) actions when the AG has initiated an enforcement proceeding against the same business based on the same breach); AG settlement agreement and corrective action plan advisory — whether an AG enforcement settlement creates issue preclusion or collateral estoppel effects in the parallel class action; and CCPA § 1798.199.90 civil penalty interaction with § 1798.150(a) statutory damages — whether the AG penalty payments affect the class settlement damages calculation or the § 1798.150(a) per-consumer statutory damages recovery.
Arithmetic: 6 active CCPA class action clients with concurrent § 502(e)(2) CDAFA claims requiring class certification scope, § 502(e)(2) mandatory fee documentation, and AG enforcement coordination advisory across the year × 3 advisory calls (1 CCPA § 1798.150(a) class certification scope and TransUnion standing audit advisory, 1 § 502(e)(2) CDAFA mandatory "shall award" fees documentation and Ketchum/Dague bifurcated lodestar advisory, 1 California AG enforcement coordination and parallel civil litigation advisory) × 44 min average × 55% untracked = 7.26 untracked hours = $2,178–$3,630/year at $300–$500/hr.
The Welch temporal anchor for CCPA class certification and § 502(e)(2) CDAFA advisory calls runs through PACER — the FRCP 16(b) scheduling order is the secondary anchor. Class certification advisory calls should appear within 24 to 72 hours of the FRCP 16(b) scheduling order's class certification briefing deadline for each briefing milestone. A billing record where CCPA class action entries cluster only at the complaint filing date and at the final approval hearing date — with no entries near the FRCP 16(b) scheduling order's class certification briefing deadline, the expert disclosure deadline, or the expert challenge deadline — is missing the three scheduling-order-driven advisory calls that generate the 7.26 hours annually of FRCP 16(b)-anchored CCPA class certification and § 502(e)(2) CDAFA mandatory fee documentation advisory work. At $300–$500/hr, the 7.26 hours of FRCP 16(b)-driven advisory calls generate $2,178–$3,630 annually that is fully recoverable under § 502(e)(2)'s mandatory "shall award" standard for prevailing CDAFA plaintiffs whose § 502(e)(2) lodestar is documented from the CA AG registry notification date forward through each class certification scheduling order milestone.
The CCPA § 1798.150(a) mandatory statutory damages and § 502(e)(2) CDAFA concurrent mandatory attorney fee petition advisory call cycle on the post-judgment calendar: 4.03 untracked hours = $1,210–$2,017/year
Cal. Civ. Code § 1798.150(a) provides that any consumer whose nonencrypted and nonredacted personal information is subject to unauthorized access as a result of a business's failure to implement and maintain reasonable security procedures and practices "is entitled to institute a civil action" to recover statutory damages of "$100 and not greater than $750 per consumer per incident or actual damages, whichever is greater," injunctive or other relief, and "any other relief the court deems proper" — which California courts have construed to include attorney fees as an element of the consumer's recovery. The per-consumer per-incident statutory damages structure makes the post-judgment advisory calls consequential: in a large data breach affecting 1 million California residents, the § 1798.150(a) mandatory statutory damages range from $100 million (at $100/consumer) to $750 million (at $750/consumer), generating a class settlement or judgment that triggers immediate post-judgment fee advisory calls on the same day the final approval order is entered.
Cal. Penal Code § 502(e)(2) provides an independent concurrent California mandatory attorney fee obligation: "In addition to any other civil remedy provided by law, the owner or lessee of the computer, computer system, computer network, computer program, or data who suffers damage or loss by reason of a violation of any of the provisions of subdivision (c) may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief. Compensatory damages shall include any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access. For the purposes of actions authorized by this subdivision, the court shall award reasonable attorney's fees to a prevailing plaintiff." The § 502(e)(2) "shall award" mandatory language — standing independently of § 1798.150(a)'s "any other relief" provision — creates a concurrent California mandatory attorney fee obligation that runs in parallel with the § 1798.150(a) statutory damages class action and generates its own post-judgment advisory call on the day the § 502(e)(2) prevailing party determination is made.
§ 1798.150(a) and § 502(e)(2) concurrent mandatory fee petition advisory call types: (a) CCPA § 1798.150(a) mandatory statutory damages calculation and Hensley lodestar fee petition advisory (42–50 min) — arrives when the CCPA class action reaches final approval or a trial judgment is entered and the § 1798.150(a) mandatory statutory damages award must be calculated and the attorney fee motion filed. The advisory call covers: § 1798.150(a)(1) per-consumer per-incident statutory damage calculation for the certified class — multiplying $100–$750 per class member by the certified class size, subject to any California court reductions for proportionality or public policy considerations; § 1798.150(a)(2) actual damages alternative — whether any class members' actual damages (out-of-pocket costs of identity theft remediation, credit monitoring costs, time spent addressing fraud) exceed the $750/consumer statutory maximum, allowing the higher of statutory or actual damages for those class members; Hensley v. Eckerhart, 461 U.S. 424 (1983), lodestar calculation from the California AG Data Breach Report Registry notification date (the § 502(e)(2) mandatory "shall award" standard makes all advisory hours from the CA AG registry notification date forward recoverable, not merely from the civil complaint filing date) — the CA AG registry date is the primary anchor for the lodestar start date, and the billing record must show advisory entries within 24 to 72 hours of the registry notification date to establish the lodestar's starting point; Welch v. Metropolitan Life Insurance Co., 480 F.3d 942 (9th Cir. 2007), contemporaneous records requirement — billing entries must specifically identify the subject matter (e.g., "§ 1798.29(a) mandatory breach notification scope analysis — § 1798.81.5(d) personal information category classification and § 1798.150(a) per-consumer statutory damage exposure calculation: [number] California residents × $100–$750 = [$x]–[$y] aggregate exposure") appearing within 24 to 72 hours of the CA AG registry notification date; PLCM Group, Inc. v. Drexler, 22 Cal.4th 1084 (2000), California prevailing market rate for CCPA data breach class action work in the California market (experienced cybersecurity solo practitioners handling CCPA class actions in California typically bill at $350–$550/hr for the data breach advisory and class certification work); and Missouri v. Jenkins, 491 U.S. 274 (1989), fees-on-fees analysis — hours spent preparing the § 1798.150(a) and § 502(e)(2) fee petitions are themselves recoverable as part of the costs of the action, making the fee petition preparation advisory call itself a recoverable billing event. (b) Cal. Penal Code § 502(e)(2) CDAFA concurrent mandatory attorney fee petition and Ketchum multiplier calculation advisory (42–50 min) — arrives after the § 1798.150(a) class settlement final approval or judgment and the § 502(e)(2) concurrent mandatory attorney fee petition must be filed. The advisory call covers: Cal. Penal Code § 502(e)(2) mandatory "shall award reasonable attorney's fees to a prevailing plaintiff" — the mandatory "shall award" language requires no additional showing beyond prevailing on the § 502(c) CDAFA claim; the § 502(e)(2) attorney fee petition is an independent concurrent mandatory fee petition separate from the § 1798.150(a) statutory damages recovery, running in the same court proceeding but requiring its own lodestar analysis and Ketchum multiplier calculation; Ketchum v. Moses, 24 Cal.4th 1122 (2001), positive multiplier calculation for the § 502(e)(2) California mandatory fee component — analyzing contingency risk (whether the § 502(c) CDAFA unauthorized access elements could be established given the technical facts of the breach incident; TransUnion standing risk for the Article III class members; § 1798.150(b) 30-day cure period compliance risk), novelty and difficulty of the legal questions (CCPA § 1798.150(a) class certification analysis is still developing as applied to post-2020 large-scale breach incidents; the intersection of § 502(e)(2) CDAFA and § 1798.150(a) CCPA fee petition practice is a relatively new area of California law), preclusion of other employment, and results obtained (class settlement or judgment amount relative to aggregate § 1798.150(a) statutory damages exposure); and City of Burlington v. Dague, 505 U.S. 557 (1992), no-multiplier compliance for any companion federal claim fee-shifting component — requiring Hensley task-level segregation between the California § 502(e)(2) CDAFA hours (Ketchum multiplier eligible) and any CFAA/FCRA/ECPA companion federal-claim hours (Dague-limited, no multiplier) before the bifurcated fee petition is filed.
Arithmetic: 5 active cybersecurity fee petition clients requiring § 1798.150(a) mandatory statutory damages calculation and § 502(e)(2) CDAFA concurrent mandatory attorney fee petition advisory across the year × 2 advisory calls (1 CCPA § 1798.150(a) mandatory statutory damages calculation and Hensley lodestar fee petition advisory, 1 § 502(e)(2) CDAFA concurrent mandatory attorney fee petition and Ketchum multiplier calculation advisory) × 44 min average × 55% untracked = 4.03 untracked hours = $1,210–$2,017/year at $300–$500/hr.
The Welch temporal anchor for § 1798.150(a) and § 502(e)(2) post-judgment fee petition advisory calls runs through the court record. The § 1798.150(a) final approval order or judgment is the tertiary anchor — appearing in PACER or the California state court docket on the date the class action is resolved. The post-judgment fee petition advisory call should appear within 24 to 72 hours of the final approval order date or trial judgment date, not clustered near the fee petition filing date weeks or months later. A billing record where the first post-judgment cybersecurity advisory entry is the § 502(e)(2) fee petition filing date — with no advisory entry in the 24-to-72-hour window after the final approval order date — is missing the post-judgment mandatory fee petition advisory call, which begins the § 502(e)(2) Ketchum multiplier analysis clock and must document the bifurcated lodestar strategy before the court's post-judgment scheduling order sets the fee petition filing deadline.
Three diagnostics for cybersecurity billing gap identification using the CA AG Data Breach Registry — FRCP 16(b) — § 1798.150(a)/§ 502(e)(2) three-anchor framework
Diagnostic 1 — California AG Data Breach Report Registry notification date advisory call capture rate (primary anchor). For each cybersecurity data breach matter with a California AG notification obligation, obtain the CA AG Data Breach Report Registry notification date from the oag.ca.gov registry (publicly searchable by company name and breach date) or from the client's incident response records. For each CA AG registry notification date, check whether a California AG § 1798.29 mandatory breach notification scope analysis and § 1798.150(a) statutory damage exposure advisory entry of 38–45 minutes appears within 24 to 72 hours of the date the attorney was first retained or the breach was first disclosed. A billing record where the earliest cybersecurity advisory entry is the CCPA class complaint filing date in PACER — with no entry between the breach disclosure date and the complaint filing date — is likely missing the entire pre-complaint breach notification advisory period, which is recoverable under § 502(e)(2)'s "shall award" standard from the CA AG registry notification date forward. Because the CA AG Data Breach Report Registry appears in no PACER record, a billing expert who queries only PACER for the cybersecurity billing timeline will find the complaint filing date as the earliest entry — systematically understating the § 502(e)(2) mandatory fee-recoverable billing period by the entire pre-complaint regulatory compliance advisory period, which may be 30 to 90 days of breach notification scope analysis, § 1798.150(a) statutory damage exposure calculation, and TransUnion standing audit work at $300–$500/hr before any PACER entry exists.
Diagnostic 2 — FRCP 16(b) scheduling order class certification advisory call capture rate (secondary anchor). For each CCPA § 1798.150(a) class action litigation matter, obtain the FRCP 16(b) scheduling order from PACER and identify the class certification briefing deadline, the expert disclosure deadline, and the expert challenge deadline. For each FRCP 16(b) class certification milestone date, check whether a CCPA § 1798.150(a) class certification scope advisory entry or § 502(e)(2) CDAFA mandatory fee documentation advisory entry appears within 24 to 72 hours of the PACER scheduling order milestone date. A billing record where CCPA class action advisory entries cluster only at the complaint filing date and at the final approval hearing date — with no entries near the FRCP 16(b) class certification briefing deadline, the expert disclosure deadline, or the California AG enforcement coordination advisory window before the class certification hearing — is missing the three scheduling-order-driven advisory calls that generate the 7.26 hours annually of FRCP 16(b)-anchored CCPA class certification and § 502(e)(2) CDAFA Ketchum/Dague advisory work. The FRCP 16(b) secondary anchor is a PACER-visible anchor; its absence or thin coverage in the billing record — compared with thick coverage at the complaint filing date and the final approval date — is the strongest indicator of a lodestar organized around attorney-initiated litigation milestones rather than court-calendar-driven advisory obligations.
Diagnostic 3 — Post-judgment § 1798.150(a)/§ 502(e)(2) concurrent mandatory fee petition advisory call capture rate (tertiary anchor). For each CCPA class action resolution (final approval or trial judgment), obtain the final approval order date or trial judgment date from PACER or the California state court docket and check whether a § 1798.150(a) mandatory statutory damages calculation and Hensley lodestar fee petition advisory entry appears within 24 to 72 hours of that date — not clustered at the fee petition filing date weeks or months later. For matters with concurrent § 502(e)(2) CDAFA claims, check whether a § 502(e)(2) mandatory attorney fee petition and Ketchum multiplier calculation advisory entry appears within the fee petition preparation window and separately identifies California § 502(e)(2) CDAFA hours from any companion federal claim hours (CFAA, FCRA, ECPA). For the bifurcated lodestar diagnostic, review the billing record for task-level entries that separately identify § 502(e)(2) California hours (breach notification scope analysis advisory, § 502(c) unauthorized access elements advisory, Ketchum multiplier analysis advisory — all California CDAFA hours eligible for Ketchum enhancement) from any companion federal-claim hours (CFAA § 1030 unauthorized access analysis advisory, FCRA § 1681o attorney fees advisory — federal hours subject to Dague no-multiplier prohibition). The three-diagnostic framework — cross-referencing the CA AG registry notification date (primary, non-PACER state regulatory), the FRCP 16(b) scheduling order milestone dates (secondary, PACER), and the § 1798.150(a)/§ 502(e)(2) final approval or judgment dates (tertiary, PACER or California court) — is the only three-anchor diagnostic framework in the fee-petition-mechanics series where the primary anchor is established in a state regulatory compliance database before any adversarial proceeding commences, making the primary anchor the least likely to appear in any PACER-based billing reconstruction and the most likely to be missing from a billing record that was not contemporaneously documented from the CA AG registry notification date forward.
How ClaimHour fits cybersecurity data breach practice
If your cybersecurity data breach practice generates California AG breach notification scope analysis advisory calls the morning a client's incident response team confirms that 500 or more California residents' personal information was compromised and the § 1798.29(f) AG notification obligation attached before any class action plaintiff's counsel was retained — HIPAA/CCPA breach notification coordination advisory calls requiring HHS OCR Breach Reporting Tool analysis on a federal non-PACER healthcare database running concurrently with the California AG registry on a compliance calendar rather than any court schedule — CCPA § 1798.150(a) class certification scope and TransUnion standing audit advisory calls when the FRCP 16(b) scheduling order sets the class certification briefing deadline and the class definition strategy must finalize before the motion is filed — § 502(e)(2) CDAFA mandatory "shall award" attorney fees documentation and Ketchum/Dague bifurcated lodestar advisory calls when the class certification order is entered and the California § 502(e)(2) lodestar must be separated from any companion CFAA/FCRA lodestar at the task level — California AG enforcement coordination advisory calls when a parallel CCPA § 1798.199.90 enforcement investigation requires civil litigation coordination before the class certification hearing — § 1798.150(a) mandatory statutory damages calculation and Hensley lodestar fee petition advisory calls within 72 hours of the final approval order when the CA AG registry notification date lodestar start and the § 502(e)(2) "shall award" mandatory fee period must be assembled — § 502(e)(2) CDAFA concurrent mandatory attorney fee petition and Ketchum multiplier calculation advisory calls when the bifurcated California/federal lodestar segregation must be completed and the Ketchum multiplier analysis for the California § 502(e)(2) component must be documented — and none of those advisory calls consistently appear in the billing record because they all arrive on the California AG Data Breach Report Registry calendar (a California state regulatory database that appears in no PACER record and that a billing expert consulting only PACER will never locate), the FRCP 16(b) scheduling order calendar (a court-set calendar generating advisory calls on the court's schedule rather than any attorney-managed deadline), or the post-judgment mandatory fee calendar (where the § 1798.150(a) statutory damages award and the § 502(e)(2) "shall award" mandatory fee obligations begin simultaneously on the final approval date and require two separate lodestar analyses with different multiplier rules) — ClaimHour was built for that gap.
The passive iOS call metadata capture logs every advisory call — duration, timestamp, direction — not the substance of the privileged conversation. The 2-minute evening digest surfaces each unmatched call for matter attribution. No audio stored. Attorney-client privilege is preserved because metadata alone does not constitute a communication or a disclosure of client confidences, consistent with ABA Formal Opinion 512 and the privilege framework under Cal. Evid. Code §§ 950–954. At $300–$500/hr, 17.16 additional tracked hours per year = $5,148–$8,580 of previously unlogged time. For the § 502(e)(2) CDAFA mandatory fee petition component where the Ketchum positive multiplier applies at 1.5× to the California CDAFA advisory hours — converting the California § 502(e)(2) lodestar to a Ketchum-enhanced ceiling above the PLCM Group prevailing market rate for complex CCPA data breach class action work — the bifurcated fee petition recovers both the full Dague-compliant federal-component lodestar (no Ketchum multiplier, but any mandatory fee standard applies without exceptionality showing) and the maximum Ketchum-enhanced § 502(e)(2) California CDAFA lodestar (positive multiplier eligible, "shall award" mandatory without any additional showing) simultaneously on the same underlying breach event. The contemporaneous per-call billing records that appear within 24–72 hours of the California AG Data Breach Report Registry notification date (primary non-PACER state regulatory anchor — the only primary anchor in the series that predates any adversarial proceeding), within 24–72 hours of the FRCP 16(b) scheduling order class certification milestone dates (secondary PACER anchor), and within 72 hours of the final approval order or trial judgment date (tertiary anchor) — the complete three-anchor pre-litigation-to-post-judgment regulatory-and-court-calendar mandatory fee temporal consistency framework that makes every cybersecurity data breach advisory call defensible when the billing expert cross-checks all three Welch anchors across the California AG registry, PACER, and the California state court simultaneously.
Related questions
Why is the California AG Data Breach Report Registry the only primary Welch anchor in the fee-petition-mechanics series that is established before any litigation is contemplated?
Cal. Civ. Code § 1798.29(a) and § 1798.82(a) impose mandatory breach notification obligations that attach to the breach event itself — before any lawsuit is filed, before any plaintiff's attorney is retained, and before any court has jurisdiction. When a qualifying breach affects 500 or more California residents, § 1798.29(f) and § 1798.82(f) require the business to notify the California AG, creating a Data Breach Report Registry entry that correlates with the earliest breach notification advisory calls. Every other primary anchor in the series is triggered by an adversarial proceeding: FBI Sentinel (RICO) opens when the FBI opens an investigation; EOIR CSO portal (immigration removal) opens when removal proceedings are filed; TTABVUE (trademark) opens when the inter partes opposition is filed; OAH e-filing (professional license defense) opens when the accusation is served. The CA AG Data Breach Report Registry is the only primary anchor triggered by a mandatory pre-litigation compliance obligation rather than an adversarial act — making it the only anchor where the lodestar period begins (under § 502(e)(2)'s "shall award" mandatory standard) in a state regulatory database before the engagement letter, civil complaint, or PACER entry exists. Total annual billing gap from advisory call underlogging: $5,148–$8,580/year at $300–$500/hr.
Is CCPA § 1798.150(a) a mandatory fee-shifting provision, and how does it differ structurally from Cal. Penal Code § 502(e)(2) CDAFA as a fee mechanism?
Cal. Civ. Code § 1798.150(a) creates mandatory statutory damages of $100–$750 per consumer per incident — a damages provision, not a fee-shifting provision in the strict sense — plus "any other relief the court deems proper" (which California courts construe to include attorney fees as a cost element). Cal. Penal Code § 502(e)(2) is an independent California mandatory fee-shifting provision: the court "shall award reasonable attorney's fees to a prevailing plaintiff" — mandatory language identical in structure to § 1964(c)'s "shall recover" (RICO) and § 1692k(a)(3)'s "shall award" (FDCPA). The § 502(e)(2) "shall award" standard is the operative mandatory fee provision for the Ketchum v. Moses, 24 Cal.4th 1122 (2001), positive multiplier analysis; § 1798.150(a)'s attorney fee cost element is a secondary recovery. A billing record that documents only § 1798.150(a) statutory damages class action work — without separately identifying the § 502(e)(2) CDAFA elements advisory calls that establish the concurrent CDAFA claim — cannot support the maximum Ketchum-enhanced § 502(e)(2) mandatory attorney fee petition that is independently recoverable from the CA AG registry notification date forward.
How does the Ketchum/Dague bifurcation work in a concurrent CCPA § 1798.150(a) and Cal. Penal Code § 502(e)(2) CDAFA case?
Ketchum v. Moses, 24 Cal.4th 1122 (2001), authorizes a positive multiplier for California mandatory fee statutes, including § 502(e)(2). City of Burlington v. Dague, 505 U.S. 557 (1992), prohibits contingency enhancement for federal fee-shifting statutes, including CFAA § 1030(g)(1), FCRA § 1681o, or ECPA civil damages. Task-level billing segregation required: (a) CA AG registry breach notification scope analysis advisory hours — § 502(e)(2) California hours, Ketchum eligible; (b) § 502(c)(1)–(7) CDAFA unauthorized access elements analysis advisory hours — § 502(e)(2) California hours, Ketchum eligible; (c) CCPA § 1798.150(a) class certification and TransUnion standing advisory hours — California hours for the § 1798.150(a) claim, Ketchum eligible for the § 502(e)(2) concurrent claim lodestar; (d) CFAA § 1030 unauthorized access analysis advisory hours — federal claim hours, Dague-limited; (e) FCRA § 1681o advisory hours if consumer credit data was breached — federal claim hours, Dague-limited; (f) § 502(e)(2) fee petition preparation advisory hours — Commissioner, INS v. Jean, 496 U.S. 154 (1990), fees-on-fees recoverable, Ketchum eligible. Any hour logged as undifferentiated "data breach" or "CCPA" without identifying whether the work addressed the California § 502(e)(2) CDAFA claim or a companion federal claim cannot be allocated to the Ketchum-eligible California lodestar without a contemporaneous task description identifying the specific § 502(c) element or CA AG registry advisory work performed in that hour.
How do Spokeo v. Robins and TransUnion LLC v. Ramirez affect standing in CCPA § 1798.150(a) class actions and what billing advisory obligations do they create before the class complaint is filed?
Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), requires that a plaintiff alleging a statutory violation must also demonstrate a concrete, particularized injury — a bare procedural violation without concrete harm does not satisfy Article III. TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), refined this analysis: in a statutory damages class action, only class members who suffered concrete harm bearing a close relationship to a traditionally recognized tort form have Article III standing for damages in federal court. For CCPA § 1798.150(a) class actions, TransUnion creates a pre-complaint class definition advisory obligation that arrives on the CA AG registry calendar before any complaint is filed: the attorney must assess whether to define a narrower concrete-harm class (demonstrated financial fraud, identity theft, unauthorized account access) for federal court filing — where TransUnion standing analysis applies but class size and aggregate statutory damages are lower — or a broader informational-exposure class for California state court filing under Cal. Code Civ. Proc. § 382, where Article III TransUnion standing is not the operative test. This class definition strategy advisory call arrives on the CA AG Data Breach Report Registry calendar — driven by the breach notification timeline — generating a billing entry that is recoverable under § 502(e)(2)'s "shall award" standard as part of the pre-complaint breach advisory period at the CA AG registry notification date, which appears in no PACER record.
How does the breach notification date in the California AG Data Breach Report Registry establish the § 502(e)(2) CDAFA lodestar start date, and why does it appear in no PACER record?
The CA AG Data Breach Report Registry records the mandatory breach notification submitted by the breached business under Cal. Civ. Code § 1798.29(f) when 500 or more California residents are affected. The registry entry date correlates with the attorney's earliest breach notification advisory calls — breach scope analysis, § 1798.150(a) statutory damage exposure calculation, TransUnion standing audit, HIPAA parallel notification advisory — and is the starting point of the § 502(e)(2) mandatory "shall award" fee-recoverable billing period under Hensley v. Eckerhart, 461 U.S. 424 (1983). The CA AG registry appears in no PACER record. The earliest PACER entry for a data breach class action is the civil CCPA complaint filing date, which may postdate the CA AG registry notification date by 30 to 90 days. A billing expert consulting only PACER will find the complaint filing date as the earliest billing anchor — systematically understating the § 502(e)(2) mandatory fee-recoverable billing period by the entire pre-complaint regulatory compliance advisory period. A Hensley lodestar for a § 502(e)(2) fee petition that begins from the complaint filing date rather than the CA AG registry notification date misses 30 to 90 days of breach notification scope analysis, § 1798.150(a) statutory damage exposure calculation, and TransUnion standing advisory work at $300–$500/hr — advisory work that is fully recoverable under § 502(e)(2)'s "shall award" mandatory standard from the CA AG registry notification date forward.
What are the three Welch temporal anchors for cybersecurity billing, and what makes the primary anchor structurally unique in the fee-petition-mechanics series?
The three Welch v. Metropolitan Life Insurance Co., 480 F.3d 942 (9th Cir. 2007), temporal anchors for cybersecurity billing are: (1) California AG Data Breach Report Registry notification date — California state regulatory database at oag.ca.gov, non-PACER, established as a mandatory compliance obligation before any civil complaint is filed; primary anchor; structurally unique in the series because it is the only primary anchor triggered by a pre-litigation regulatory compliance obligation rather than by an adversarial act or proceeding commencement. (2) FRCP 16(b) scheduling order class certification briefing deadline date — CM/ECF PACER, secondary anchor; triggers CCPA § 1798.150(a) class certification scope, TransUnion standing audit, § 502(e)(2) CDAFA mandatory fee documentation, and California AG enforcement coordination advisory calls at each scheduling order milestone. (3) CCPA § 1798.150(a) mandatory statutory damages and § 502(e)(2) CDAFA attorney fee award order date — PACER or California state court, tertiary anchor; triggers § 1798.150(a) per-consumer statutory damages calculation, § 502(e)(2) mandatory "shall award" Ketchum multiplier calculation, and bifurcated California/federal lodestar assembly advisory calls within 24 to 72 hours of the final approval order. The primary anchor's structural uniqueness creates the most consequential billing documentation gap in the series: because the CA AG registry notification date appears in no PACER record and precedes the civil complaint by 30 to 90 days, a billing record anchored only to PACER dates systematically excludes the entire pre-complaint breach notification advisory period from the § 502(e)(2) mandatory fee-recoverable lodestar — understating the "shall award" fee recovery by the most valuable advisory period in cybersecurity practice, which is the period when breach scope is being analyzed and the § 1798.150(a) statutory damages class exposure is first being quantified.
Further reading
- Cybersecurity attorney fee petition mechanics — companion programmatic SEO page covering the same three billing failure modes with full lodestar arithmetic, the California AG Data Breach Report Registry non-PACER primary Welch anchor structure, the § 502(e)(2) CDAFA mandatory "shall award" California fee provision, the Ketchum/Dague bifurcated lodestar requirement, and the three-anchor Welch temporal framework (CA AG registry notification date + FRCP 16(b) scheduling order date + § 1798.150(a)/§ 502(e)(2) fee award order date)
- Cybersecurity attorney time tracking — time-tracking companion page targeting the broader cybersecurity billing keyword cluster; CA AG Data Breach Report Registry advisory billing gap, CCPA class certification and § 502(e)(2) CDAFA advisory billing gap, and § 1798.150(a) mandatory statutory damages fee petition advisory billing gap
- RICO attorney fee petition mechanics — 18 U.S.C. § 1964(c) mandatory treble damages and FBI Sentinel/DOJ predicate act advisory on the FBI non-PACER investigation calendar, § 1964(c) RICO pattern analysis and Sedima continuity advisory on the FRCP 16(b) scheduling order, and § 1964(c)/§ 496(c) dual mandatory fee petition advisory; RICO is the only other practice area in the series with a California mandatory fee provision running concurrently with a federal mandatory fee provision (Cal. Penal Code § 496(c) CalRICO concurrent with 18 U.S.C. § 1964(c)), creating the same Ketchum/Dague bifurcated lodestar structure as cybersecurity's § 502(e)(2)/CFAA concurrent fee structure — though the RICO dual-sovereign structure involves two independent mandatory shall-receive/shall-recover obligations from two separate sovereigns, while cybersecurity's § 502(e)(2)/§ 1798.150(a) structure involves a California mandatory "shall award" fee provision and a California statutory damages provision running in the same state
- FDCPA and FCRA time tracking: the proportionality defense for high-volume consumer practices — 15 U.S.C. § 1692k(a)(3) mandatory "shall award" FDCPA attorney fees and Cal. Civ. Code § 1788.30(c) Rosenthal Act mandatory "shall award" concurrent California fees; the FDCPA/Rosenthal Act dual-sovereign mandatory fee structure is structurally parallel to the cybersecurity § 502(e)(2)/CFAA structure in that both involve a California mandatory "shall award" fee provision eligible for the Ketchum multiplier running alongside a federal fee-shifting provision subject to Dague — though FDCPA's § 1692k(a)(3) is a direct federal mandatory fee provision while cybersecurity's companion federal claim (CFAA, FCRA) may or may not carry mandatory federal attorney fees depending on the specific companion claims pleaded
- Appellate attorney fee petition mechanics — CRC 8.212 briefing schedule advisory call cycle on the California Courts Case Information System non-PACER calendar, CRC 8.272 remittitur and Cal. Code Civ. Proc. § 1021.5 private attorney general fee petition advisory on the CCIS remittitur calendar, and FRAP 39/9th Circuit Rule 39-1 federal fee petition advisory; the § 1021.5 Ketchum multiplier available for the California appellate fee petition component is the same Ketchum analysis that applies to the § 502(e)(2) California cybersecurity mandatory fee component — Dague prohibits the multiplier for the FRAP 39/EAJA federal component in appellate practice, and Dague prohibits the multiplier for the CFAA/FCRA federal component in cybersecurity practice, creating the same bifurcated California/federal lodestar structure across both practice areas
- Section 1983 civil rights attorney fee petition mechanics — 42 U.S.C. § 1988 mandatory attorney fee petition mechanics, qualified immunity interlocutory appeal billing complexity, and contemporaneous records as the threshold for fees-on-fees recovery; § 1988 mandatory "shall allow" fee-shifting for prevailing § 1983 plaintiffs is a federal mandatory fee provision subject to Dague (no Ketchum multiplier), structurally parallel to any companion federal claim fee-shifting provision in cybersecurity practice — though § 1988 involves a standalone federal civil rights claim rather than a companion federal claim to a California § 502(e)(2) CDAFA primary claim