Fee petition mechanics · Updated July 2026

California CCPA data breach private right of action attorney fee petition mechanics: date of security breach as primary Welch anchor, Civ. Code § 1798.150 statutory damages and § 1021.5 attorney fees

California CCPA/CPRA data breach private right of action attorney fee billing (Civ. Code § 1798.150(a)(1): 'Any consumer whose nonencrypted and nonredacted personal information...is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred fifty ($750) per consumer per incident or actual damages, whichever is greater; (B) Injunctive or declaratory relief; (C) Any other relief the court deems proper'; § 1798.150(a)(2): in assessing statutory damages, court considers nature and seriousness of misconduct, number of violations, persistence of misconduct, length of time, willfulness of defendant, and defendant's ability to pay; attorney fees in § 1798.150 actions via: [1] § 1021.5 private attorney general theory where breach affects significant number of California consumers [§ 1021.5(a) significant public benefit satisfied by large-scale breach; § 1021.5(b) financial burden requirement satisfied where $100–$750/consumer recovery insufficient to incentivize private enforcement]; [2] class action common fund doctrine; [3] injunctive relief cost award; DISTINCT from § 1798.82 [data breach notification obligation — FAILURE TO NOTIFY consumers and AG after breach; different violation type; different Welch anchor: DATE OF BREACH DISCOVERY on business CISO/SOC calendar vs. DATE OF BREACH itself; § 1798.82 fees via § 1021.5 for notification failure]; DISTINCT from § 1798.83 Shine the Light [consumer information sharing disclosure request failure — DATE OF BUSINESS FAILURE TO RESPOND 30-DAY REQUEST on CRM/customer service calendar; entirely different violation: unauthorized access vs. failure to respond]; DISTINCT from § 1798.120 [CCPA opt-out request; 15-business-day response deadline; different context]; DISTINCT from § 56.36 Confidentiality of Medical Information Act [medical context specifically; healthcare provider; different covered entity]; DISTINCT from Cal. Pen. Code § 502 [California computer crime — intentional unauthorized access; criminal statute]; no direct federal parallel with private right of action and statutory damages for data security failures [HIPAA no private right of action; FTC Act § 5 no private right of action; federal CFAA requires intentional unauthorized access not negligent security failure] → no Ketchum/Dague split; pure Ketchum multiplier eligible in California Superior Court; Ketchum v. Moses 24 Cal.4th 1122 (2001); PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000); Hensley v. Eckerhart 461 U.S. 424 (1983) lodestar from DATE OF SECURITY BREACH; Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees) — solos billing hourly on § 1798.150 CCPA data breach statutory damages and § 1021.5 attorney fees in which the primary Welch temporal anchor is the DATE OF PERSONAL INFORMATION SECURITY BREACH (the date on which the business's information systems were first subjected to unauthorized access and exfiltration — business's own SIEM/XDR cybersecurity monitoring system [CrowdStrike Falcon, Palo Alto Cortex XSOAR, Splunk SIEM, SentinelOne Singularity, Microsoft Azure Sentinel, Qualys VMDR, Tenable.io] records first unauthorized access event on CISO/SOC's own institutional security monitoring calendar entirely outside consumer-plaintiff attorney's scheduling control; the ONLY primary anchor in the fee-petition-mechanics series in a BUSINESS'S OWN SIEM/XDR CYBERSECURITY MONITORING CALENDAR DATE for a statutory damages private right of action [DISTINCT from § 1798.83 Shine the Light which is a business's own CRM/CUSTOMER-SERVICE CALENDAR DATE for a disclosure REQUEST RESPONSE FAILURE; DISTINCT from § 1798.82 breach notification which is a business's SIEM calendar for DISCOVERY but focuses on notification obligation]) — generate three billing gaps: § 1798.150(a) nonencrypted personal information and reasonable security analysis and breach documentation advisory calls (7 clients × 2 calls × 42 min × 55% ≈ 5.39 hrs = $1,617–$2,695/year at $300–$500/hr), SIEM cybersecurity breach calendar and CPPA/AG enforcement calendar and AG cyber unit investigation calendar advisory calls (6 clients × 3 calls × 44 min × 55% ≈ 7.26 hrs = $2,178–$3,630/year), and § 1798.150 statutory damages and § 1021.5 attorney fees and class action common fund and Ketchum multiplier advisory calls (5 clients × 2 calls × 44 min × 55% ≈ 4.03 hrs = $1,210–$2,017/year). For a solo California § 1798.150 CCPA data breach attorney fee practice, the annual billing gap from advisory call underlogging is $5,005–$8,342.

TL;DR

ClaimHour captures every § 1798.150(a) nonencrypted personal information and reasonable security analysis and breach scope documentation advisory call that starts the fee documentation period from the DATE OF SECURITY BREACH (on the business's own SIEM/XDR cybersecurity monitoring calendar — CrowdStrike Falcon, Palo Alto Cortex XSOAR, Splunk SIEM, SentinelOne, Azure Sentinel records first unauthorized access event on CISO/SOC's own institutional calendar entirely outside plaintiff attorney's scheduling control), every concurrent SIEM breach calendar and CPPA/AG enforcement calendar and AG cyber unit investigation calendar advisory call, and every § 1798.150 statutory damages and § 1021.5 attorney fees and class action common fund and Ketchum multiplier advisory call — passively, no timer, no audio, no call contents. $29–$59/mo. No PMS required.

§ 1798.150(a) nonencrypted personal information and reasonable security analysis and breach documentation advisory: calls on the SIEM cybersecurity breach calendar

The DATE OF PERSONAL INFORMATION SECURITY BREACH — the date on which the business's systems were first subjected to unauthorized access — is the primary Welch temporal anchor for § 1798.150 attorney fee billing documentation. This date is recorded on the business's own SIEM and XDR cybersecurity monitoring calendar (CrowdStrike Falcon, Palo Alto Cortex XSOAR, Splunk SIEM, SentinelOne Singularity, Microsoft Azure Sentinel, Qualys VMDR) entirely outside the consumer-plaintiff attorney's scheduling control. § 1798.150(a)(1) requires: (1) the personal information was "nonencrypted and nonredacted" — the encryption status and redaction status of the personal information at the time of breach are factual questions established by the business's own security architecture documentation; (2) the data was "subject to unauthorized access and exfiltration, theft, or disclosure" — the nature of the breach is established by the business's own forensic investigation results; (3) the breach resulted "from the business's violation of the duty to implement and maintain reasonable security procedures and practices" — reasonable security analysis under California's de facto standard (Center for Internet Security Critical Security Controls; NIST Cybersecurity Framework; ISO/IEC 27001; CIS Benchmarks; SOC 2 Type II audit report). Ketchum v. Moses 24 Cal.4th 1122 (2001). PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000). Hensley v. Eckerhart 461 U.S. 424 (1983). Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees.

Three initial advisory call types generate untracked billing from the breach date: (1) § 1798.150(a)(1) nonencrypted personal information and breach scope documentation advisory — arrives at intake ('nonencrypted and nonredacted' requirement: business's own security architecture and encryption implementation documentation must be obtained through civil discovery; breach scope: how many consumers' personal information was exposed? — business's own forensic investigation report quantifies scope; § 1798.150(a)(1) 'personal information' definition [§ 1798.140(v)]: social security number, driver's license, account credentials, medical information, health insurance information, unique biometric data — scope of covered personal information advisory; 42–48 min per call); (2) reasonable security analysis and industry standard advisory — arrives after breach scope is established (§ 1798.150(a)(1) 'violation of the duty to implement and maintain reasonable security procedures' — California's 'reasonable security' standard under the California Information Security Office (CISO's Statewide Information Management Manual) and OAG 2016 Data Breach Report [OAG identified CIS Critical Security Controls as the baseline for 'reasonable security']; specific reasonable security failures advisory: multi-factor authentication absence, unpatched known vulnerabilities, inadequate access controls, unencrypted personal information, phishing-susceptible email configurations, inadequate logging and monitoring — each security failure must be documented from business's own security architecture documentation; 42–48 min per call); (3) § 1021.5 attorney fee theory analysis and § 1798.150 class action vs. individual action advisory — arrives at complaint preparation (§ 1021.5 'significant public benefit' analysis for individual § 1798.150 claim: [a] number of affected consumers — breach affecting 10,000+ consumers may satisfy § 1021.5(a)(2) 'significant benefit to the public'; [b] § 1021.5(b) financial burden — individual consumer's $100–$750 statutory recovery is insufficient to incentivize individual private enforcement; [c] § 1021.5(b) 'private enforcement is necessary' — AG/CPPA enforcement calendar is separate from private right of action; class action advisory: [a] CAFA federal court jurisdiction if 100+ class members and $5M+ in controversy; [b] California class action in Superior Court under CCP § 382; [c] common fund doctrine — attorney fees from settlement fund; advisory calls arrive as complaint strategy is developed; 42–48 min per call). At 55% untracked: 7 clients × 2 calls × 42 min × 55% = 323.4 min / 60 = 5.39 hours = $1,617–$2,695/year at $300–$500/hr.

Business SIEM security breach calendar and CPPA enforcement calendar and AG cyber unit investigation calendar: calls on external institutional calendars entirely outside plaintiff attorney control

A California § 1798.150 CCPA data breach case typically involves three concurrent external institutional calendars entirely outside the consumer-plaintiff attorney's scheduling control: the business's own SIEM/XDR cybersecurity monitoring calendar [CrowdStrike Falcon, Palo Alto Cortex XSOAR, Splunk, SentinelOne, or Azure Sentinel records the incident detection, confirmation, containment, eradication, and forensic investigation completion dates on the CISO/SOC's own security incident response calendar; the forensic investigation report (engagement letter with forensic firm, e.g., Mandiant, CrowdStrike Services, Unit 42, or Kroll Cyber) documents the breach timeline on the forensic firm's own investigation calendar; PCI DSS v4.0 incident notification to card brands (Visa, Mastercard) within 24 hours of confirmed breach is on the PCI Council compliance calendar; ISO/IEC 27001 incident response procedure is on the business's own ISMS calendar — all entirely outside consumer-plaintiff attorney's control; breach notification to consumers and AG under § 1798.82 (30-calendar-day or 45-calendar-day notification obligation depending on size of breach) is on the business's own notification planning calendar]; the California Privacy Protection Agency enforcement calendar [CPPA's own rulemaking and enforcement calendar; CPPA has authority to issue administrative citations and levy fines up to $2,500 per unintentional violation and $7,500 per intentional violation per record per day; CPPA's own administrative enforcement proceeding calendar (investigation opening, notice, response period, administrative hearing, final order) is entirely outside consumer-plaintiff attorney's control; CPPA enforcement action may be concurrent with or prior to consumer civil action — coordination advisory required; CPPA enforcement order may include injunctive relief requiring business to implement specific security measures on CPPA's own compliance monitoring calendar]; and the AG cyber unit investigation calendar [California Attorney General's Cybercrime Section's own criminal investigation and prosecution calendar; if breach involves criminal hacking under Cal. Pen. Code § 502, AG's Cybercrime Section opens investigation on AG's own institutional calendar; federal FBI Cyber Division investigation (18 U.S.C. § 1030 CFAA federal computer fraud) — FBI opens investigation on FBI's own case management calendar entirely outside civil plaintiff attorney's scheduling control; AG civil enforcement action calendar — AG may open a civil § 1798.150 enforcement action on AG's own institutional calendar concurrent with consumer private right of action; AG enforcement settlement or consent decree may include injunctive relief and civil penalties that must be coordinated with private civil action on AG's own calendar]. Ketchum v. Moses 24 Cal.4th 1122 (2001). PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000). Hensley v. Eckerhart 461 U.S. 424 (1983) lodestar from DATE OF SECURITY BREACH. Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees.

Three concurrent external calendar advisory call types generate untracked billing: (1) SIEM forensic investigation report and breach timeline documentation advisory — arrives when forensic report is produced (forensic firm's investigation completion date on forensic firm's own investigation calendar; forensic report contents: breach timeline, attack vector, data exfiltration confirmation, affected consumer count, types of personal information exposed — advisory calls reviewing forensic report findings arrive when report is produced on forensic firm's own calendar entirely outside plaintiff attorney's control; 44–50 min per call); (2) CPPA enforcement calendar advisory — arrives when CPPA enforcement action is opened (CPPA enforcement action coordination advisory: if CPPA opens enforcement concurrent with private action, consumer plaintiff must consider [a] whether CPPA enforcement toll statute of limitations for private action; [b] whether CPPA settlement moots private injunctive relief claims; [c] whether consumer plaintiff's individual § 1798.150(a)(1) statutory damages claim is affected by CPPA enforcement order; CPPA administrative hearing calendar is on CPPA's own institutional calendar entirely outside private plaintiff attorney's control; 44–50 min per call); (3) AG cyber unit and federal investigation calendar advisory — arrives when AG or FBI opens investigation (AG civil enforcement action on AG's own institutional calendar; FBI CFAA investigation on FBI's own case management calendar; advisory calls: [a] whether civil § 1798.150 discovery should be coordinated with or stayed pending federal criminal investigation; [b] whether federal CFAA charges create concurrent federal civil CFAA claim [18 U.S.C. § 1030(g) private right of action]; [c] federal CFAA civil claim creates Ketchum/Dague split: CFAA attorney fees unavailable in federal court under Dague; § 1021.5 state fees available in California Superior Court → Hensley segregation of federal CFAA hours from state § 1021.5 hours required if concurrent federal and state claims pled; 44–50 min per call). At 55% untracked: 6 clients × 3 calls × 44 min × 55% = 435.6 min / 60 = 7.26 hours = $2,178–$3,630/year at $300–$500/hr.

§ 1798.150 statutory damages and § 1021.5 attorney fees and class action common fund and Ketchum multiplier advisory: calls on the post-judgment fee petition calendar

California § 1798.150 CCPA data breach cases use § 1021.5 private attorney general theory (for individual actions where breach affects significant number of consumers) or the class action common fund doctrine (for class actions) as the attorney fee recovery mechanism. The fee petition requires a Hensley lodestar from the DATE OF SECURITY BREACH through reasonable security analysis, breach scope documentation, CPPA advisory, AG/FBI advisory, class action or individual action, trial or settlement, and fee petition preparation. No direct federal parallel for § 1798.150's private right of action for data security failures → no Ketchum/Dague split for state § 1021.5 fees arising from § 1798.150 claims in California Superior Court. Ketchum v. Moses 24 Cal.4th 1122 (2001). PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000). Hensley v. Eckerhart 461 U.S. 424 (1983). Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees.

Two post-judgment advisory call types generate untracked billing: (1) § 1798.150 statutory damages calculation and § 1021.5 fee theory analysis advisory — arrives at judgment or settlement (§ 1798.150(a)(1) statutory damages: $100–$750 per consumer per incident × number of affected consumers × number of incidents; in assessing statutory damages, § 1798.150(a)(2) factors: [a] nature and seriousness of misconduct; [b] number of violations; [c] persistence of misconduct; [d] length of time; [e] willfulness of defendant; [f] defendant's ability to pay; § 1021.5 attorney fees: [a] significant public benefit analysis: how many consumers were affected? does breach reveal systemic security failures at a major business?; [b] financial burden: was individual consumer's $100–$750 statutory recovery insufficient to motivate private enforcement?; [c] necessity of private enforcement: did AG/CPPA enforcement address the specific violation?; class action common fund: if class action, standard percentage-of-recovery or lodestar-with-multiplier method; Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees for fee petition preparation hours; 44–50 min per call); (2) Ketchum multiplier and § 1798.150 contingency factors advisory — arrives at fee petition (Ketchum five-factor multiplier for California § 1021.5 fees in § 1798.150 case; no Dague constraint for state § 1021.5 fees [Dague applies to federal fee-shifting statutes in federal court — § 1021.5 is California state court, no Dague]; Ketchum contingency factors: [a] 'nonencrypted and nonredacted' element uncertainty: if business contends personal information was encrypted, entire § 1798.150 claim fails; [b] 'reasonable security violation' element uncertainty: business will retain cybersecurity expert to contest reasonable security standard; [c] § 1021.5 'significant public benefit' uncertainty: if breach is small-scale, § 1021.5 may be unavailable; [d] CPPA enforcement preemption uncertainty: whether CPPA enforcement action would moot private claim was uncertain at intake; [e] class certification uncertainty: whether breach affected class of consumers with commonality sufficient for class certification was uncertain at intake; PLCM Group 22 Cal.4th 1084 (2000) prevailing market rate for California privacy litigation; Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees; 44–50 min per call). At 55% untracked: 5 clients × 2 calls × 44 min × 55% = 242 min / 60 = 4.03 hours = $1,210–$2,017/year at $300–$500/hr.

How ClaimHour fits California Civ. Code § 1798.150 CCPA data breach attorney fee practice

California § 1798.150 CCPA data breach solos billing hourly on statutory damages and § 1021.5 attorney fees — with § 1798.150(a) nonencrypted personal information and reasonable security analysis and breach scope documentation advisory calls arriving at intake (DATE OF SECURITY BREACH = primary Welch anchor; the ONLY primary anchor in the fee-petition-mechanics series in a BUSINESS'S OWN SIEM/XDR CYBERSECURITY MONITORING CALENDAR DATE for a statutory damages private right of action [CrowdStrike Falcon, Palo Alto Cortex XSOAR, Splunk SIEM, SentinelOne, Azure Sentinel records first unauthorized access event on CISO/SOC's own security monitoring calendar entirely outside plaintiff attorney's scheduling control]; § 1798.150(a)(1) $100–$750/consumer/incident statutory damages; § 1021.5 attorney fees via significant public benefit theory in individual actions; class action common fund attorney fees; no direct federal parallel with private right of action for data security failures [HIPAA no private right of action; FTC Act § 5 no private right of action; federal CFAA requires intentional unauthorized access] → no Ketchum/Dague split; pure Ketchum multiplier eligible; DISTINCT from § 1798.82 breach notification [notification obligation, different Welch anchor]; DISTINCT from § 1798.83 Shine the Light [disclosure request response failure, CRM calendar anchor]; DISTINCT from § 56.36 Confidentiality of Medical Information Act [medical context only]), SIEM forensic investigation report calendar advisory calls, CPPA enforcement calendar advisory calls on CPPA's own institutional calendar, AG cyber unit and FBI investigation calendar advisory calls on institutional prosecution calendars, and § 1798.150 statutory damages and § 1021.5 attorney fees and Ketchum multiplier advisory calls — and if your § 1021.5 or class action common fund lodestar documentation must satisfy the Hensley contemporaneous-record standard from the DATE OF SECURITY BREACH through reasonable security analysis, breach scope documentation, CPPA advisory, AG/FBI advisory, and fee petition, ClaimHour was built for that gap.

Get early access