In one of the first cases of its kind resulting from a delay in notifying affected individuals of a data breach, the California Attorney General (the “CA AG”) filed a complaint against Kaiser Foundation Health Plan, Inc. (“Kaiser”) under California’s business and profession code section 17200, alleging that Kaiser took too long to notify its employees that their personally identifiable information was compromised as a result of a data breach. The CA AG sought an injunction, civil penalties, and other equitable relief for the violations.
On Sept. 24, 2011, an external hard drive was purchased at a thrift store that contained unencrypted names of Kaiser employees, their social security numbers, dates of birth, addresses, and, for some employees, the personal information of their spouse and children. Kaiser recovered the hard drive on Dec. 21, 2011, and conducted a forensic examination which was completed on Dec. 28, 2011. It was not until March 19, 2012, however, that, pursuant to California’s notification law, Kaiser began sending out the required notification letters to individuals whose information had been compromised.
The CA AG alleged that Kaiser did not notify the individuals “in the most expedient time possible and without unreasonable delay.” Specifically, the CA AG indicated that Kaiser could have notified affected individuals “as early as December 2011, but did not commence notice until on or about March 19, 2012.” Such a delay, the CA AG alleges, violates California Civil Code section 1798.85(a)(1). The CA AG did not agree with the industry standard of notifying affected individuals all at the same time once the affected group is identified. Instead, the CA AG wanted to see a staggered notification which would have required Kaiser to notify affected individuals once they were identified.
The CA AG sought damages against Kaiser in the amount of $2,500 for each violation of California Business and Professions Code. California alleged that there were 20,539 affected individuals, i.e. 20,539 separate violations. The CA AG also sought attorney fees, courts costs, investigation costs, and an injunction that Kaiser be enjoined from committing any acts of unfair competition.
Less than a month after the CA AG filed its complaint, Kaiser and the state entered into a settlement agreement. The settlement required Kaiser to pay $30,000 to the State of California and also to pay $120,000 for legal fees and for the cost of prosecution. Kaiser is also required to take “appropriate actions to resolve [the attorney general’s] concerns and continue to protect [its] employees’ information.” Kaiser further agreed to provide notification for future breaches involving current or former employees’ personal data on a "rolling basis," which means Kaiser will begin providing breach notification as soon as reasonably possible after identifying a portion of the total individuals affected by a breach, even if Kaiser's breach investigation is ongoing, and continue to notify individuals as soon as they are identified until Kaiser's breach investigation is completed. Additionally, Kaiser has agreed to review and improve its policies and procedures where “necessary and feasible” regarding encryption of e-mail that contains personally identifiable information. Kaiser also agreed to provide the CA AG with the results of an internal audit regarding access to employees’ personally identifiable information.
Many of the 46 state statutes do not have a specific statutory requirement to notify affected individuals within a certain number of days of discovery of the breach. As a result, organizations have used their own discretion to determine the appropriate time to notify affected individuals about a breach. The CA AG is clearly sending a message that waiting for a complete forensic investigation to notify residents of a data breach is in violation of the state’s notification statute. Rather, the AG wants notices sent out on a rolling basis, as affected individuals are identified. As has occurred in the past, other states are likely to follow California’s lead in aggressively pursuing compliance of their state breach statutes.
How does an organization minimize liability related to investigations and/or lawsuits filed by state attorneys general? Develop and implement proactive measures now. Planning for the inevitable data breach before it happens allows a much more efficient response to the incident, thereby significantly decreasing the potential for fines, attorneys fees, court costs, investigations costs, and injunctions arising out of state and federal audits and investigations.
For more information, please contact one of the attorneys listed below.