A key requirement of many data protection laws around the world is breach notification. In the U.S., in addition to state-level breach notification requirements, there are also sector-specific ones, exacerbating the challenges for privacy professionals. In this guest article, Nymity chief operating officer at TrustArc Ray Pathak reviews the CCPA’s breach notification requirement and its litigation implications, and offers advice on developing a compliance framework, incorporating lessons from mistakes companies made with GDPR compliance. See CSLR’s two-part interview with Irish Data Protection Commissioner Helen Dixon: “GDPR Enforcement Hurdles One Year In” (May 29, 2019); and “Breach Notification, the Role of the DPO and a U.S. Privacy Law” (Jun. 5, 2019).