Kaiser Permante Data Breach (2011)

In the first case of its kind (that I am aware of), the California Attorney Generals office filed a complaint against the Kaiser Foundation Health Plan, Inc. (Kaiser) alleging a violation of Californias unfair competition law (Business and Professions Code sections 17200-17210) arising out of a personal information security breach and delayed notification. This lawsuit is interesting because the AGs office alleges that the timing of Kaisers notification violated Californias breach notification law (California Civil Code section 1798.82, subdivision (a)). It also comes on the heels of the Target breach where people are questioning Targets 3-week delay in providing its initial notification. As discussed further below the fold, the outcome of this case could impact when and how companies subject to Californias breach notice law provide notice to affected individuals. Moreover, considering Californias influence in the privacy regulatory space it could have nationwide implications. Section 1798.82 of Californias breach notification law provides as follows (emphasis supplied): Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. While Californias law does not explicitly define most expedient time possible and without unreasonable delay, Californias Office of Privacy Protection recommends that notice be provided within ten (10) business days of an organizations determination that personal information was, or is reasonably believed to have been, acquired by an unauthorized person. With respect to Kaiser, the CA AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing the personal information (SSNs, DOBs, addresses, etc.) of Kaiser employees had been sold to a member of the public at a thrift store. On December 21, 2011 Kaiser secured possession of the drive and conducted a forensic examination. The initial forensic examination allegedly revealed the presence of over 30,000 SSNs and other personal information. According to the CA AG, Kaiser continued its inventory of the drive through mid-Feburary 2012 (approximately 5 months after initial discovery and 3 months after obtaining the drive). Still later, Kaiser provided notice to 20,539 California residents on March 19, 2012 (approximately 6 months after its initial discover and 4 months after obtaining the drive). Based on the facts set forth above, the CA AG alleges that Kaisers delay between obtaining the drive in December 2011 and notification to affected individuals in March 2012 amounts to an act of of unfair competition under section 17200 of Californias Business and Professions code. In particular, the CA AG alleges that even though Kaiser did not complete its analysis of the drive until February 2012, it had sufficient information to notify at least some affected individuals between December 2011 and February 2012. In the eyes of the CA AG, the failure of Kaiser to provide notice on a rolling basis, even if its investigation was not complete, amounted to a failure to provide notice in the most expedient time possible and without unreasonable delay under Californias breach notice law (California Civil Code section 1798.82, subdivision (a)). Under Californias Business and Professions code section 17206, Kaiser could be ordered to pay $2,500 for each violation of section 17200 (if late notice to each affected individual is a separate violation, Kaiser could be looking at significant penalties).