According to California law, wallet providers and exchanges have substantial liabilities for breaches in security. For example, under the California Consumer Privacy Act (CCPA), there are penalties for breaching data if companies fail to protect consumer data, as well as giving users notice. In addition to damage claims by users for breaches of their personal information, the business faces financial penalties for failing to maintain compliance. 

Wallet providers and exchanges also have compliance obligations under the California Online Privacy Protection Act (CalOPPA). CalOPPA requires that wallet providers and exchanges have easily accessible privacy policies, as well as an avenue to notify users after a breach has occurred without undue delay. If they fail to notify consumers, they could be liable for their failure to comply with CalOPPA. 

Similarly, under the Consumer Legal Remedies Act (CLRA), wallet providers can be sued in deceptive claims if they mislead users on user asset security (or similar language), and the breach occurs through its own negligence. Additionally, wallet providers and exchanges are also under the supervision of the Department of Financial Protection and Innovation (DFPI); if a wallet provider or exchange fails to comply with financial obligations, it may violate financial regulations and incur penalties or other sanctions. If it is determined that a wallet provider or exchange provider has failed to comply with the security standards described in its user agreements, it could be potentially residual liability for breach of contract. Finally, if a provider manages user funds, they could assume fiduciary obligations, and if they fail to secure those assets, they may be liable for negligence. In short, security breaches can expose wallet providers and exchanges to a wide range of legal risks, including data privacy violations, civil actions for consumer protection, regulatory enforcement actions, and monetary liability for negligence.