California Attorney General Files Lawsuit Based on Late Breach Notification
In the first case of its kind (that I am aware of), the California Attorney General's office filed a complaint against the Kaiser Foundation Health Plan, Inc. ("Kaiser") alleging a violation of California's "unfair competition law" (Business and Professions Code sections 17200-17210) arising out of a personal information security breach and delayed notification. This lawsuit is interesting because the AG's office alleges that the timing of Kaiser's notification violated California's breach notification law (California Civil Code section 1798.82, subdivision (a)). It also comes on the heels of the Target breach where people are questioning Target's 3-week "delay" in providing its initial notification. As discussed further below the fold, the outcome of this case could impact when and how companies subject to California's breach notice law provide notice to affected individuals. Moreover, considering California's influence in the privacy regulatory space it could have nationwide implications.
Section 1798.82 of California's breach notification law provides as follows (emphasis supplied):
Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
While California's law does not explicitly define "most expedient time possible and without unreasonable delay", California's Office of Privacy Protection recommends that notice be provided within ten (10) business days of an organization's determination that personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
With respect to Kaiser, the CA AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing the personal information (SSNs, DOBs, addresses, etc.) of Kaiser employees had been sold to a member of the public at a thrift store. On December 21, 2011 Kaiser secured possession of the drive and conducted a forensic examination. The initial forensic examination allegedly revealed the presence of over 30,000 SSNs and other personal information. According to the CA AG, Kaiser continued its inventory of the drive through mid-Feburary 2012 (approximately 5 months after initial discovery and 3 months after obtaining the drive). Still later, Kaiser provided notice to 20,539 California residents on March 19, 2012 (approximately 6 months after its initial discover and 4 months after obtaining the drive).
Based on the facts set forth above, the CA AG alleges that Kaiser's delay between obtaining the drive in December 2011 and notification to affected individuals in March 2012 amounts to an act of of unfair competition under section 17200 of California's Business and Professions code. In particular, the CA AG alleges that even though Kaiser did not complete its analysis of the drive until February 2012, it had sufficient information to notify at least some affected individuals between December 2011 and February 2012. In the eyes of the CA AG, the failure of Kaiser to provide notice on a rolling basis, even if its investigation was not complete, amounted to a failure to provide notice "in the most expedient time possible and without unreasonable delay" under California's breach notice law (California Civil Code section 1798.82, subdivision (a)). Under California's Business and Professions code section 17206, Kaiser could be ordered to pay $2,500 for each violation of section 17200 (if late notice to each affected individual is a separate violation, Kaiser could be looking at significant penalties).
The lawsuit and the CA AG's allegations raise some interesting issues for breach notification lawyers:
- Tolling. Like most breach notice laws, notification can be delayed based on the legitimate needs of law enforcement. Since this breach did not involve a malicious hacker/fraudster, it is doubtful that law enforcement was involved at all. However, California's breach notice law also appears to allow for an investigative / remediation delay (emphasis supplied):
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Although this language is somewhat unclear, Kaiser may be able to take the position that its delay was not unreasonable because it was taking necessary measures to determine the scope of the breach. However, the CA AG will likely argue that this tolling language is intended to allow organizations to determine the scope of a breach in order to end it and get its systems and data back up and secure. In fact, the recommendations of California's Office of Privacy Protection do indicate the some delay is acceptable to "[t]ake necessary steps to contain and control the systems affected by the breach and conduct a preliminary internal assessment of the scope of the breach."
Interestingly, even though the initial breach was discovered in September 2011, the CA AG does not take issue with the 3-month delay between Kaiser's discovery that the drive had been sold at thrift store and its obtaining the drive and starting an investigation. As such, one might reasonably conclude that the CA AG viewed the effort of obtaining the drive and the delay associated with that effort as not unreasonable delay (or perhaps tolled as part of "measures necessary to determine the scope of the breach").
- Staggered Notification. The CA AG alleges that even though Kaiser's inventory of the drive was not complete until February 2012, Kaiser had enough information to identify and notify at least some individuals between December 2011 and February 2012. This view of notification obligations could have a significant impact on when and how organizations subject to California law provide notice.
In many situations, including apparently the Kaiser breach, it may be difficult to get a full picture of the breach and identify affected individuals. Oftentimes, especially for complex breaches, an organization will have a preliminary idea or indication concerning the number of affected individuals. However, it is necessary to conduct a full investigation to determine the "true" number of affected individuals, and most companies will want to notice to all affected individuals all at once.
It is not unusual to "find" more affected individuals after further investigation of a breach. In some cases forensics will determine that the systems or databases affected by the breach are more widespread. In other cases it may take a long time to sift through gigabytes of data to determine whose personal information was affected by a breach. In fact, sometimes a forensic investigation will lead to a determination that less individuals were affected by a breach than originally thought. The analysis and investigation is further complicated because notification is required for not only individuals whose personal information was actually acquired by an unauthorized person, but also individuals whose information is "reasonably believed to have been" acquired. A more detailed investigation may result in a determination that there is not a reasonable belief that personal information was acquired by an unauthorized person -- in other words, the reasonableness standard is impacted based on the amount and type of information an organization has at a particular moment.
In any case, the CA AG's complaint appears to suggest that the AG's office believes that staggered notification is necessary once an organization determines a particular individual's or group of individuals' personal information was actually or is reasonably believed to have been acquired by an unauthorized person, even if the investigation is not complete and more affected individuals may exist.
This can cause difficulties for breached organizations. If the breached organization, after further investigation, determines that less individuals were affected by the breach then it will have "over-notified" (causing undue concern; indeed, the CA Office Office of Privacy Protection itself recommends avoiding "false positives") and it may have to send out a second notice to correct the first. In addition, staggered notification causes logistical difficulties in terms of setting up multiple mailings and communication channels. Staggered notice may also cause public relations problems to the extent the public views a breach organization as having "gotten it wrong" or hiding information about the true scope of the breach. Finally, rushing to get notice out without a full understanding and accurate information about the incident can result in confusion for affected individuals.
While the outcome of this lawsuit is uncertain, breach notification practitioners and companies that handle California personal information should keep an eye on this case (and any rulings that come out of it). Moreover, if the saying is true, "as California goes so goes the nation", this case could impact how other State regulators view the timing requirements under their breach notification laws. We will keep you posted as this matter develops further.