Data breaches are continuing to make headlines. Nearly every state has a data breach notification statute, and many of these statutes require companies to notify affected individuals without unreasonable delay.
Previously, little guidance existed on what is an “unreasonable delay” in breach notification. But on January 24, 2014, the California Attorney General filed a Complaint that provides more clarity on the issue for those subject to California’s data breach law, California Civil Code Section 1798.82.
The Complaint alleged that Kaiser Foundation Health Plan, Inc. (“Kaiser”) failed to provide timely breach notification to affected California residents when a third party acquired an external hard drive containing unencrypted personal information of former and current Kaiser employees. The personal information included names, Social Security numbers, dates of birth, addresses, and personal information of some employees’ family members.
Kaiser allegedly recovered the hard drive in December 2011. That same month, Kaiser allegedly conducted an initial forensic examination, which revealed that the hard drive contained over 30,000 Social Security numbers and other employee-related sensitive information. Kaiser continued to inventory the remaining contents of the hard drive through February 2012. It then mailed notification letters to over 20,000 affected California residents in March 2012.
The Attorney General contended that such delay in notification was unreasonable and violated California’s Unfair Competition Law. The Complaint alleged that Kaiser failed to notify affected residents “in the most expedient time possible and without unreasonable delay, in that Kaiser could have notified individuals it had identified as affected by the breach as early as December 2011, but did not commence notice until on or about March 19, 2012.”
The parties also filed a Stipulation for Entry of Final Judgment and Permanent Injunction. Among other things, the Stipulated Judgment would require breach notification in future cases on a “rolling basis,” meaning that Kaiser must begin notifying individuals as “soon as reasonably possibly after identifying a portion of the total individuals affected by a breach, even if Kaiser’s investigation of the breach is ongoing.” The Stipulated Judgment also imposes auditing requirements on Kaiser, and a $150,000 penalty on Kaiser.
The Complaint somewhat clarifies how quickly the California Attorney General expects companies that experience data breaches to notify affected California residents. Companies experiencing breaches often spend time after discovery of the breach conducting internal investigations and forensic examinations. In filing the Complaint, the California Attorney General is cautioning businesses to notify affected individuals as soon as reasonably possible, even without the benefit of a complete breach investigation. The risk of early notification, however, lies with incomplete or inaccurate information. As the Complaint demonstrates, this risk will need to be balanced against the risk of scrutiny by regulators.