Fee petition mechanics · Updated June 2026
California Data Breach Notification Act attorney fee petition mechanics: data breach discovery date as primary Welch anchor, Civ. Code § 1798.84(b) attorney fees
California Data Breach Notification Act civil enforcement (Cal. Civ. Code § 1798.82 and § 1798.84) solos billing hourly on attorney fees — in actions where the primary Welch temporal anchor is the DATE OF DATA BREACH FIRST DISCOVERED (the date the defendant person or business first 'discovers' or receives 'notification' of the breach in the security of the computerized data under Civ. Code § 1798.82(a); the DATE OF DATA BREACH FIRST DISCOVERED is the ONLY primary anchor in the entire fee-petition-mechanics series in a CYBERSECURITY INCIDENT DISCOVERY DATE — the internal date on which the defendant's own IT security staff, third-party incident response vendor [Mandiant, CrowdStrike, Palo Alto Unit 42, etc.], or security monitoring service [SIEM platform alert, EDR telemetry, network anomaly detection] first identified unauthorized access to or acquisition of unencrypted personal information qualifying under § 1798.82(b); this date initially exists only in the defendant's internal incident response documentation — the IR vendor's initial alert email, the IT security team's internal ticket, the CISO's notification to general counsel — before any government agency notification is made, before any consumer notification is sent, before any class counsel is retained, and before any civil complaint is filed; the DATE OF DATA BREACH FIRST DISCOVERED is structurally distinct from: CCPA/CPRA data breach private right date [Civ. Code § 1798.150 — tier_uu — CCPA § 1798.150 covers the same cybersecurity event but applies specifically to 'unauthorized access and exfiltration, theft, or disclosure' of CCPA-defined 'sensitive personal information' with statutory damages $100–$750/consumer/incident; § 1798.82 applies to ANY qualifying breach of the broader § 1798.82(b) personal information definition and is the earlier, broader breach notification statute; CCPA § 1798.150 private right was added in 2018 while § 1798.82 has existed since 2003; an attorney may have concurrent § 1798.82 and § 1798.150 claims from the same breach event, requiring Hensley task-level segregation from the breach discovery date]; California Penal Code § 502 CDAFA cyber-trespass date [the date of the unauthorized computer access, not the discovery date — § 502 mandatory fees tier is distinct from § 1798.82 notification duty]; cybersecurity attorney fee petition [covered in the separate cybersecurity-attorney-fee-petition-mechanics page — focused on AG data breach registry and CCPA § 1798.150 class actions]; Song-Beverly Credit Card Act transaction date [§ 1747.08 — in-person POS transaction, not a cybersecurity incident]; Civ. Code § 1798.82(a): 'A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person'; § 1798.82(a): notification must be 'in the most expedient time possible and without unreasonable delay'; § 1798.82(b) personal information definition: name + [SS#; driver's license; account/card number + access code; medical information; health insurance information; ALPR data; online credentials]; § 1798.82(c): law enforcement delay exception — if law enforcement agency determines notification would impede criminal investigation, notification may be delayed; § 1798.82(d) notification content requirements: [1] name and contact information of reporting entity; [2] list of types of personal information breached; [3] date or date range of breach; [4] whether law enforcement delay applies; [5] general description of breach incident; [6] toll-free numbers for consumer reporting agencies if SS# or driver's license was breached; § 1798.82(f): AG notification required when breach affects 500+ California residents; § 1798.84(a): 'Any customer injured by a violation of this title may institute a civil action to recover damages'; § 1798.84(b): 'In a civil action brought to enforce this section, a court may award reasonable attorney's fees to a plaintiff who prevails' — DISCRETIONARY (unlike § 1747.08(e) mandatory prevailing-party fees; unlike § 2802(c) mandatory employee fees; unlike CUTSA § 3426.4 mandatory bad-faith fees); discretionary fee awards are subject to Court of Appeal review for abuse of discretion; § 1798.84(f): California AG enforcement; California data breach notification is the general statute DISTINCT from: HIPAA Breach Notification Rule [45 C.F.R. § 164.400 — federal HHS/OCR notification rule for covered entities; California § 1798.82 applies to all California businesses regardless of HIPAA coverage]; FTC Safeguards Rule [16 C.F.R. Part 314 — applies to 'financial institutions' as defined by GLBA; California § 1798.82 applies to all California businesses]; Ketchum v. Moses 24 Cal.4th 1122 (2001) Ketchum multiplier eligible for California § 1798.84(b) discretionary fee award in California state court; PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000) reasonable rate; Hensley v. Eckerhart 461 U.S. 424 (1983) lodestar from DATE OF DATA BREACH FIRST DISCOVERED; Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees) — generate three billing gaps driven by § 1798.82 notification obligation scope and breach discovery date analysis and § 1798.82(b) personal information category assessment advisory calls on the cybersecurity incident calendar, the concurrent HHS/OCR HIPAA breach notification and California AG reporting and FTC Safeguards Rule enforcement calendars, and the § 1798.84 attorney fee petition and § 1798.82 class damages and breach notification delay damages calendar: § 1798.82 notification obligation scope and breach discovery date analysis and personal information category assessment advisory calls (7 clients × 2 calls × 42 min × 55% untracked ≈ 5.39 hrs = $1,617–$2,695/year at $300–$500/hr), HHS/OCR HIPAA 60-day notification calendar monitoring and California AG § 1798.82(f) reporting calendar and FTC Safeguards Rule 30-day notification calendar concurrent advisory calls (6 clients × 3 calls × 44 min × 55% ≈ 7.26 hrs = $2,178–$3,630/year), and § 1798.84(b) discretionary attorney fee petition and § 1798.82 class damages computation and breach notification delay damages advisory calls (5 clients × 2 calls × 44 min × 55% ≈ 4.03 hrs = $1,210–$2,017/year). For a solo California data breach notification civil enforcement practice, the annual billing gap from advisory call underlogging is $5,005–$8,342.
TL;DR
ClaimHour captures every § 1798.82 notification obligation scope and breach discovery date analysis and personal information category assessment advisory call that starts the § 1798.84(b) fee documentation period, every concurrent HHS/OCR HIPAA 60-day notification and California AG reporting and FTC Safeguards Rule 30-day notification calendar advisory call on external government calendars entirely outside the consumer attorney's scheduling control, and every § 1798.84(b) discretionary attorney fee petition and class damages computation advisory call on the post-judgment calendar — passively, no timer, no audio, no call contents. $29–$59/mo. No PMS required.
§ 1798.82 notification obligation scope and breach discovery date analysis: calls on the cybersecurity incident calendar
The DATE OF DATA BREACH FIRST DISCOVERED — the date the defendant first discovered or received notification of the breach under § 1798.82(a) — is the primary Welch temporal anchor for § 1798.84(b) attorney fee billing documentation. This date is the ONLY primary anchor in the fee-petition-mechanics series in a CYBERSECURITY INCIDENT DISCOVERY DATE. It is the Hensley lodestar start for three reasons: (1) § 1798.82(a)'s 'most expedient time possible and without unreasonable delay' notification obligation begins running from the breach discovery date — the reasonableness of any notification delay is measured from this anchor; (2) the three-year California statute of limitations for data protection statute violations under CCP § 338(a) begins running from the consumers' discovery of the breach, which turns on when the entity discovered and notified or failed to notify; (3) the § 1798.82(c) law enforcement delay exception — if the entity delayed notification because a law enforcement agency determined it would impede investigation — begins and ends on the law enforcement agency's own calendar, creating an external calendar entirely outside the private attorney's scheduling control.
Three initial advisory call types generate untracked billing from the breach discovery date: (1) § 1798.82(b) personal information category assessment and breach scope advisory — arrives when the class counsel retains and evaluates the case (§ 1798.82(b) personal information category analysis: does the breached data include name + [SS#; driver's license; account number + access code; medical information; health insurance information; ALPR data; online credentials]? Not every data breach qualifies as a § 1798.82 triggering event — the breached data must include at least one of the enumerated § 1798.82(b) categories combined with the person's name; encrypted data: § 1798.82(a) — notification is required only for 'unencrypted personal information'; encryption exception analysis: was the breached data in fact encrypted to the applicable standard at the time of the breach? Key management practices — was the encryption key also breached?; scope of breach: how many California residents were affected? 500+ triggers AG reporting obligation; § 1798.82(g) defines 'breach of the security of the system' as 'unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business'; 42–48 min per call); (2) breach discovery date establishment and notification timeline advisory — arrives during case investigation (breach discovery date determination: when did the defendant's IT security team first receive an alert, flag, or indication of unauthorized access? IR vendor engagement: when was the IR vendor [Mandiant, CrowdStrike, etc.] first notified? Initial triage: when was the initial triage report completed? Management notification: when was the CISO or general counsel first notified internally? External notification decision: when did the entity decide to notify affected individuals? The breach discovery date — the Welch anchor — may differ from the notification date by days, weeks, or months; § 1798.82(a) 'without unreasonable delay' damages analysis: for each day of unreasonable delay after discovery, the affected consumers suffered the ongoing risk of identity theft, fraudulent account openings, tax refund fraud, and medical identity theft; § 1798.82(c) law enforcement delay exception: if law enforcement requested a delay, when did the request begin and when did it end? Law enforcement delay calendar runs entirely on the law enforcement agency's own schedule, entirely outside the private attorney's scheduling control; 42–48 min per call); (3) § 1798.82(d) notification content and § 1798.82(f) AG reporting advisory — arrives during compliance review (§ 1798.82(d) required notification content: [1] name and contact information of reporting entity; [2] list of types of personal information that were or are reasonably believed to have been the subject of the breach; [3] date or estimated date range of the breach; [4] whether notification was delayed as a result of law enforcement investigation; [5] general description of breach incident; [6] toll-free telephone numbers and addresses of consumer reporting agencies if the breach exposed SS# or driver's license; § 1798.82(e) electronic notice alternative: entities with more than 500,000 California residents affected may provide notice on the entity's website and to major statewide media; § 1798.82(f) AG reporting: entity must provide electronic notice to the AG at oag.ca.gov when breach affects 500+ California residents, at the same time it notifies affected consumers; AG notification uses a specific electronic form; failure to provide timely AG notification is an additional § 1798.82 violation; 42–48 min per call). At 55% untracked: 7 clients × 2 calls × 42 min × 55% = 323.4 min / 60 = 5.39 hours = $1,617–$2,695/year at $300–$500/hr.
HHS/OCR HIPAA breach notification calendar and California AG reporting calendar and FTC Safeguards Rule concurrent calendar: calls on the external government notification calendars
A § 1798.82 data breach notification failure case involving a healthcare entity, financial institution, or large-employer group plan generates concurrent notification and enforcement obligations under three independent government calendars, each running on its own schedule entirely outside the private plaintiff attorney's scheduling control. The HHS/OCR HIPAA Breach Notification Rule calendar imposes a 60-day notification deadline from discovery for covered entities and business associates. The California AG reporting calendar imposes a real-time notification obligation (at the same time as consumer notification). The FTC Safeguards Rule imposes a 30-day notification deadline from discovery for covered financial institutions. Each calendar generates advisory calls the private attorney cannot schedule. Ketchum v. Moses 24 Cal.4th 1122 (2001). PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000). Hensley v. Eckerhart 461 U.S. 424 (1983) lodestar from breach discovery date. Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees.
Three concurrent external government notification calendar advisory call types generate untracked billing: (1) HHS/OCR HIPAA Breach Notification Rule calendar advisory — arrives when the defendant is a HIPAA covered entity or business associate (HIPAA BNR: 45 C.F.R. §§ 164.400–414; covered entities must notify affected individuals of a PHI breach within 60 calendar days of 'discovery' — § 164.404(b); HIPAA 'discovery' is defined as the date the covered entity knows or, by exercising reasonable diligence, should have known of the breach — may differ from § 1798.82 'discovery' date; breaches affecting 500+ individuals in any state must also be reported to HHS/OCR simultaneously with affected individual notification — § 164.408; HHS/OCR 'Wall of Shame': hhs.gov/ocr/breach/reporting — public database of reported breaches affecting 500+ individuals; HHS/OCR investigation following a 'Wall of Shame' posting: OCR may open a compliance review and investigation on its own initiative when a large breach appears in the public portal; OCR investigation calendar — complaint intake, case assignment, document request to covered entity, investigation, resolution agreement, and corrective action plan — runs entirely on OCR's own schedule; HHS/OCR civil money penalties up to $1.9 million per violation category per year; OCR resolution agreement and corrective action plan may contain factual admissions relevant to concurrent § 1798.82 civil action; 44–50 min per call); (2) California AG § 1798.82(f) reporting calendar advisory — arrives when the breach affects 500+ California residents (AG notification obligation: § 1798.82(f) requires electronic notice to the AG when breach affects 500+ California residents, at the same time notification is provided to affected individuals — if consumer notification is issued on Day X, AG notification must be issued on Day X; AG receipt and posting: the AG posts breach notifications at oag.ca.gov/privacy/databreach/reporting, creating a public record of when notification was provided; AG UCL investigation: the AG may initiate a UCL § 17200 enforcement action for the entity's failure to notify consumers 'in the most expedient time possible and without unreasonable delay' or for failure to include required § 1798.82(d) content in the notification; AG investigation and enforcement calendar runs entirely outside the private attorney's scheduling control; AG settlement scope and any consent decree terms may affect the private § 1798.82 class action; 44–50 min per call); (3) FTC Safeguards Rule breach notification calendar advisory — arrives when the defendant is a GLBA-defined 'financial institution' (FTC Safeguards Rule § 314.4(j)(2): 'financial institutions' subject to the FTC Safeguards Rule must notify the FTC via a secure electronic form within 30 days of discovery of a 'notification event' — defined as unauthorized acquisition of unencrypted customer information affecting 500 or more customers; the 30-day clock runs from FTC-defined 'discovery,' which may differ from both the § 1798.82 discovery date and the HHS/OCR discovery date; 'financial institution' under GLBA: auto dealers offering financing, mortgage brokers, payday lenders, tax preparers, accounting firms, credit reporting agencies, certain retailers offering store credit — not just banks; FTC investigation and enforcement action following a Safeguards Rule notification event report runs entirely outside the private attorney's scheduling control; FTC consent order findings may contain factual admissions admissible in concurrent § 1798.82 class action; three concurrent government notification calendars — HHS/OCR 60-day HIPAA, California AG real-time § 1798.82(f), FTC Safeguards 30-day — each with distinct discovery-date definitions and distinct enforcement consequences, generating advisory calls on three government-controlled timelines; 44–50 min per call). At 55% untracked: 6 clients × 3 calls × 44 min × 55% = 435.6 min / 60 = 7.26 hours = $2,178–$3,630/year at $300–$500/hr.
§ 1798.84(b) discretionary attorney fee petition advisory: calls on the post-judgment calendar
Civ. Code § 1798.84(b) provides discretionary attorney fees to a prevailing plaintiff: 'In a civil action brought to enforce this section, a court may award reasonable attorney's fees to a plaintiff who prevails.' Unlike the mandatory fee provisions in other series members (§ 1747.08(e): 'shall be entitled'; § 2802(c): includes fees as 'necessary expenditures'; § 3426.4: 'may award'), § 1798.84(b)'s 'may award' language is discretionary — the court must affirmatively exercise its discretion to award fees, and California courts review such awards for abuse of discretion. The § 1798.84(b) fee petition still requires a Hensley lodestar from the DATE OF DATA BREACH FIRST DISCOVERED through all phases. The Ketchum positive multiplier is available in the court's discretion for the California § 1798.84(b) component where: (1) the breach discovery date required forensic investigation through civil discovery to establish; (2) the § 1798.82(b) personal information category analysis required consultation with information security experts; (3) concurrent HHS/OCR and AG enforcement created settlement coordination uncertainty; (4) class certification required complex commonality and typicality analysis across different categories of breached personal information. Ketchum v. Moses 24 Cal.4th 1122 (2001). PLCM Group Inc. v. Drexler 22 Cal.4th 1084 (2000). Hensley v. Eckerhart 461 U.S. 424 (1983). Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees.
Two § 1798.84(b) post-judgment advisory call types generate untracked billing: (1) § 1798.82 actual damages and class damages advisory — arrives at judgment (§ 1798.84(a) actual damages: 'Any customer injured by a violation of this title may institute a civil action to recover damages' — the plaintiff must prove actual damages, which in a notification failure case may include: identity theft losses traceable to the delayed notification; fraudulent account openings during the notification delay period; credit monitoring costs; time spent remedying identity theft; emotional distress; loss of the opportunity to mitigate harm; distinguishing § 1798.82 damages from CCPA § 1798.150 statutory damages [§ 1798.150 provides $100–$750 per consumer per incident statutory damages without proof of actual harm — § 1798.82 requires actual damage proof]; Hensley segregation if § 1798.82 and § 1798.150 are both pleaded for the same breach event: § 1798.82 notification failure hours [§ 1798.84(b) discretionary fees] vs. CCPA § 1798.150 unauthorized disclosure hours [§ 1798.150(c) mandatory fees — 'The court shall award costs and expenses, including attorneys' fees, to a prevailing plaintiff']; the Hensley segregation between § 1798.82 discretionary fees and § 1798.150 mandatory fees is the critical fee documentation task at the breach discovery anchor; 44–50 min per call); (2) § 1798.84(b) discretionary attorney fee petition and court discretion advisory — arrives at fee petition filing (§ 1798.84(b) 'may award' — unlike § 1747.08(e) 'shall be entitled' and § 1798.150(c) 'shall award,' § 1798.84(b) requires the court to affirmatively exercise discretion to award fees; factors courts consider in exercising § 1798.84(b) discretion: [a] the degree of success obtained by the plaintiff; [b] whether the case created a substantial benefit for consumers beyond the named plaintiff; [c] the financial burden imposed on the plaintiff in bringing the case; [d] the complexity of the legal and factual issues; [e] whether the case vindicated an important public interest in data security notification compliance; § 1021.5 private attorney general alternative: if the § 1798.82 class action creates a significant benefit for California consumers and is driven by necessity of private enforcement, § 1021.5 attorney fees are an alternative mandatory fee basis requiring the three-part Woodland Hills test; Ketchum multiplier: available for both § 1798.84(b) discretionary fees and § 1021.5 fees in California state court; Laffitte v. Robert Half International 1 Cal.5th 480 (2016) California class action attorney fees; PLCM Group 22 Cal.4th 1084 (2000) prevailing market rate; Missouri v. Jenkins 491 U.S. 274 (1989) fees-on-fees; 44–50 min per call). At 55% untracked: 5 clients × 2 calls × 44 min × 55% = 242 min / 60 = 4.03 hours = $1,210–$2,017/year at $300–$500/hr.
How ClaimHour fits California Data Breach Notification Act § 1798.82 practice
California Data Breach Notification Act solos billing hourly on Civ. Code § 1798.84(b) discretionary attorney fees — with § 1798.82 notification obligation scope and breach discovery date analysis and § 1798.82(b) personal information category assessment advisory calls arriving when consumers retain data breach counsel after a defendant's notification failure (DATE OF DATA BREACH FIRST DISCOVERED = primary Welch anchor; the ONLY primary anchor in the fee-petition-mechanics series in a CYBERSECURITY INCIDENT DISCOVERY DATE — the internal date on which the defendant's IT security team, IR vendor, or SIEM platform first identified unauthorized access to unencrypted personal information qualifying under § 1798.82(b); not a court filing, not a government agency record, not a consumer complaint, not a bilateral contract, not a retail POS transaction — the defendant's own internal IT security incident discovery date; distinct from CCPA/CPRA § 1798.150 which covers the same breach event but with higher statutory damages and narrower personal information categories), HHS/OCR HIPAA 60-day breach notification calendar advisory calls on OCR's own investigation and enforcement schedule entirely outside the private attorney's scheduling control, California AG § 1798.82(f) reporting calendar advisory calls on the AG's own investigation and enforcement schedule entirely outside the private attorney's scheduling control, FTC Safeguards Rule 30-day notification calendar advisory calls on the FTC's own investigation and enforcement schedule entirely outside the private attorney's scheduling control, and § 1798.84(b) discretionary attorney fee petition and § 1798.82 class damages and Ketchum multiplier advisory calls arriving at civil judgment — and if your § 1798.84(b) lodestar documentation must satisfy the Hensley contemporaneous-record standard from the breach discovery date through all phases of HHS/OCR monitoring, AG enforcement monitoring, FTC Safeguards monitoring, and class certification, through the § 1798.84(b) discretionary attorney fee petition, ClaimHour was built for that gap.