California has very strict data protection rules. Any business that owns, licenses or maintains personal information about a California resident must have reasonable security provisions in place. The Center for Internet Security has provided a list of 20 security controls that California deems important for reasonable security measures. These include, among others, multifactor identification, encryption of data in transit and fraud alerts.
California released a data breach report that analyses the data breaches reported to the CA Attorney General from 2012 through 2015. A copy of the report is available here.