Kaiser Foundation Health Plan, Inc. (Kaiser) recently agreed to settle charges brought by California Attorney General Kamala Harris alleging that Kaiser, a component of Kaiser Permanente, the largest health maintenance organization in the U.S., violated California’s unfair competition law by taking too long to notify more than 20,000 current and former employees that their personal information had been compromised.¹ The case and its settlement may have significant implications for businesses that suffer data security incidents requiring notification to affected persons.

Complaint and Settlement

In her complaint,² Attorney General Harris alleged that Kaiser learned on September 24, 2011, that an external hard drive containing unencrypted Social Security numbers, dates of birth, addresses, and other personal information of Kaiser employees (and, in some cases, spouses and children) was sold to a member of the public at a thrift store. Kaiser secured possession of the drive on December 21, 2011, and commenced a forensic evaluation. The forensic evaluation allegedly revealed over 30,000 Social Security numbers and other unencrypted “employee-related sensitive information” on the drive. Kaiser continued to inventory the drive through mid-February 2012, and notified 20,539 California residents on or about March 19, 2012, that their personal information was compromised in the incident.

Attorney General Harris alleged that Kaiser had sufficient information to identify and notify at least some individuals affected by the breach between December 2011 and February 2012, and that its failure to provide notice in a timely fashion violated California’s security breach notification statute. In her complaint, Attorney General Harris sought an injunction to permanently enjoin Kaiser from committing any acts of unfair competition, an order for the company to pay $2,500 for each violation of Section 17200 of the California Business and Professions Code, and recovery of the state’s costs for the suit and its investigation of the matter.

In a stipulated final judgment and permanent injunction entered by the court on February 10, 2014, Kaiser is obligated to provide notices of any future breaches of personal information relating to current or former employees on a “rolling basis” where “feasible and appropriate,” with Kaiser needing to provide notice “as soon as reasonably possible after identifying a portion of the total individuals affected by a breach, even if Kaiser’s investigation of the breach is ongoing,” and “continu[ing] to notify individuals as soon as they are identified, throughout and until completion of Kaiser’s investigation of the breach.”

Kaiser also agreed to pay $150,000 ($30,000 in civil penalties and $120,000 in attorneys’ fees and costs of investigation and prosecution). Further, Kaiser agreed to, within 120 days of the judgment, provide additional training to its employees regarding personnel files, review its email encryption policies and devise a plan for updating those policies as needed, audit its employees’ access to employee personal information, and provide a report to the California attorney general’s office regarding its audit.

Analysis

The relevant portion of California’s security breach notification statute, California Civil Code Section 1798.82, provides in pertinent part as follows (emphasis added):

Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

The statute does not provide a more precise meaning of “the most expedient time possible and without unreasonable delay,” but California’s Office of Privacy Protection has recommended that notice be given within 10 days of an organization’s determination that personal information was, or is reasonably believed to have been, acquired by an unauthorized person.³

In the complaint, Attorney General Harris stated that while Kaiser commenced notice in or about March 2012, it “could have notified individuals it had identified as affected by the breach as early as December 2011.” The company providing notice approximately a month after completing its internal forensic analysis—approximately six months after its initial discovery of the hard drive having been compromised, and approximately four months after obtaining the hard drive—allegedly was not “in the most expedient time possible and without unreasonable delay.” The complaint does not address whether Kaiser’s evaluation of the hard drive constituted “measures necessary to determine the scope of the breach,” but by implication, the position of Attorney General Harris in the complaint appeared to be that even if measures are ongoing to determine the scope of the breach, notice must be provided to those who have been identified at the time. This is consistent with the obligation to provide notification on a “rolling basis” where “feasible and appropriate,” as Kaiser agreed to in the stipulated final judgment.

Implications

The Kaiser case and settlement are interesting for a number of reasons. First, they address what Attorney General Harris asserts “the most expedient time possible” and “without unreasonable delay” mean under California’s security breach notification law. The complaint and its settlement evidence Attorney General Harris’s position that notification to affected California residents of security breaches must occur on a rolling basis, as residents can be identified, rather than at the completion of an investigation. This implies a position by the attorney general that the statute’s provisions permitting notification to be delayed to accommodate “measures necessary to determine the scope of the breach” do not permit delay of notification to identified individuals whose unencrypted personal information has been confirmed as compromised.

Because breach notification investigations often are fluid, with tentative conclusions sometimes later invalidated by subsequent findings, attempting to comply with the “rolling notification” standard suggested by the complaint and settlement may lead to companies being placed in a difficult position. The California statute, along with most other security breach notification statutes, requires notice not only in the event of unencrypted personal information being acquired by an unauthorized person, but also when it is “reasonably believed to have been” so acquired. Companies might be required to deliver notices to consumers containing information that later turns out to be inaccurate or incomplete. This could require later supplementation or correction of facts. It also could result in “false positives” in which consumers are notified that their personal information was compromised when, as revealed by subsequent investigation, it was not.

These factors may necessitate difficult decisions by entities suffering a security breach, or a potential security breach, affecting California residents. Companies that delay providing notice until the completion of an investigation run the risk of potential enforcement by the California attorney general. Companies that rush to provide notice while an investigation is ongoing, in contrast, may be required to provide notification based on limited information, as well as to deliver multiple notices to consumers. This may be expensive, logistically challenging, and confusing to recipients. It also could lead to significant public relations challenges.

Additionally, because nearly all of the 46 state security breach notification statutes use similar timing language,⁴ this case and its settlement may have bearing on other state regulatory authorities’ interpretation of their laws or, potentially, lead to statutory amendments. California was the first state to enact security breach notification legislation in 2002, with dozens of states quickly following suit over the next few years. More generally, California plays a leading role in the privacy regulatory space, and it would not be surprising to see this case and its settlement have an impact on how other state regulatory authorities interpret the timing requirements of their state breach notification laws over time.

¹ The complaint also alleges that Kaiser engaged in unfair competition by “publicly posting and/or displaying the Social Security numbers of 20,539 Californians on an unencrypted hard drive made available to the general public via sale at a thrift store,” thereby violating California Civil Code § 1798.85(a)(1).

² The complaint in California v. Kaiser Foundation Health Plan Inc. (case no. RG14711370) (Cal. Sup. Ct., Alameda Co.), as well as the final judgment and permanent injunction filed on the same day, is available at http://www.wsgr.com/PDFs/Judgment-and-Settlement.pdf.

³ See California Office of Privacy Protection, “Recommended Practices on Notice of Security Breach Involving Personal Information,” available at http://www.dhcs.ca.gov/formsandpubs/laws/priv/Documents/PrivacyProtection.pdf.

⁴ While several U.S. state security breach notification statutes use language similar to the California statute, many of them differ in the precise language used to articulate the notice obligation. For example, some states only require notification “without unreasonable delay,” while some require notice “as soon as possible,” “as soon as reasonably practicable,” “as expeditiously as possible,” or in accordance with similar standards. Most permit notice to be delayed in circumstances similar to those set forth in the California law, while some also permit notice to be delayed as necessary to identify affected individuals. Three states—Florida, Ohio, and Vermont—in most cases require notification to be provided no later than 45 days following the discovery or determination of a security breach.