Last week, California Attorney General Kamala Harris filed suit against Kaiser Foundation Health Plan, Inc. (“Kaiser”) in relation to a 2011 data security breach. The AG’s complaint alleges that even though Kaiser provided notice of the breach to affected individuals, it took too long to issue the required notifications.
Like many other state breach notification statutes, California’s breach notification law (California Civil Code section 1798.82) provides that a business must disclose a data breach “in the most expedient time possible and without unreasonable delay.” In 2011, Kaiser became aware that an external hard drive containing unencrypted personal information had been sold, through a thrift shop, to a member of the public. The hard drive included names, addresses, birth dates, and Social Security numbers of tens of thousands of Kaiser employees and their families. Kaiser regained custody of the hard drive in December 2011 and conducted a forensic analysis to determine the types of data it contained. At that time, the state alleges, Kaiser could and should have notified the affected individuals. Instead, Kaiser did not begin notifying individuals until March 2012. The state alleges that this three-month delay was unwarranted and violated California’s unfair competition law.
Kaiser also allegedly violated California Civil Code section 1798.85, which prohibits an entity from publicly posting or displaying an individual’s Social Security number. The complaint alleges that the Social Security numbers of 20,539 California residents were on the unencrypted hard drive. The Complaint seeks $2,500 for each violation proven in court, in addition to the recovery of the state’s costs for trial and investigation. In addition, the state seeks to enjoin Kaiser from any acts of unfair competition.
The case underscores the need for businesses to develop, implement, and maintain appropriate data breach response plans that provide for prompt notice of incidents that qualify as reportable breaches. It also demonstrates that even where a company has reported a breach, regulators may take action if they believe the company did not act with sufficient urgency to notify affected individuals.