» California Case Shines Spotlight On State’s Breach Notice Law

California Case Shines Spotlight On State’s Breach Notice Law

Sacramento, CA (Law Firm Newswire) April 3, 2014 – This case may the first of its kind. The California Attorney General’s office filed a lawsuit against the Kaiser Foundation Health Plan for allegedly violating the unfair competition law.

“This case stems from a personal information and security breach and delayed notification of this breach,” explains respected Sacramento business lawyer, Deborah Barron. The outcome of the case may have a significant impact on how and when companies that are governed by California’s breach notice law provide notice to those who are affected by such a breach. This is a similar situation to the Target payment card incident, in which there was a 3-week delay before customers were informed their personal information was breached.

California’s breach notification law, Section 1798.82 says, in summation, that any business storing personal information “shall” disclose any breach of their system, upon discovery or being advised of the breach, to residents of the state whose unencrypted information was, or is reasonably believed to have been breached. “The most relevant part of the section further states that ‘disclosure shall be made in the most expedient time possible and without unreasonable delay,’” adds Barron.

There is no explicit definition on the books for the most expedient time possible and without unreasonable delay, although the Office of Privacy Protection recommends within ten business days of a company/organization discovering a breach or possible breach.

In the Kaiser case, the Attorney General is alleging that in September, 2011, the health care giant found out that an external hard drive with dates of birth and social security numbers (SSNs), etc., of company workers was purchased by someone from a thrift store. In December of the same year, Kaiser obtained the drive and discovered more than 30,000 SSNs and other personal information. No one was informed at that time of this breach.

Kaiser apparently continued to catalogue the drive’s contents until February 2012. “ Which is five months after they found out about the hard drive being sold and three months after getting it back. Then in March, Kaiser advised approximately 20,539 individuals of the breach, which was six months after they first discovered it and four months after getting the drive back,” Barron outlines.

Based on this long time lag, the California Attorney General is alleging unfair competition under the California Business and Professionals Code, in that even though they did not get done analyzing the drive contents until February 2012, they had enough information to advise some of the people affected by this breach. Not advising people as they determined who was affected thus constitutes failure to provide notice expediently and without delay.

At issue are tolling and staggered notification. In regard to tolling, notification of a breach may be delayed for legitimate law enforcement needs or to allow time for investigation/remediation. Kaiser may argue this point. In relation to staggered notification, the Attorney General suggests Kaiser had enough information to notify some people. What the court may determine regarding this point could change how and when companies governed by California law provide notice. “This will be an interesting case to watch,” Barron suggests.

Barron Law Corporation
1900 Point West Way, Suite 202
Sacramento, CA 95815
Phone: 916-486-1712
http://www.lawbarron.com

Twitter

Facebook

Google+


View Larger Map

  • Social media employer crosses line for non-payment of overtime wages
    Non-payment of overtime to workers is not just a brick-and-mortar company issue. It is also prevalent in online social media niches.  Consider the case of LinkedIn, one of the more prominent social media platforms for connecting and finding jobs. The company recently paid out close to $6 million in back wages and damages to 359 […]
  • Muddling the language of campus sex offenses avoids real preventative effort
    Instead of “no means no” when it comes to campus sex, California legislators are now moving towards laws that suggest “yes means yes.”  Sexual assault is a serious and complex crime that cannot be condensed to “yes means yes” or any other phrase. The prevalence of college campus sexual attacks reflects an attitude that disregards […]
  • Home care workers in California file lawsuit in federal district court for misclassification
    There are many ways to misclassify a worker to avoid complying with existing labor laws in California. A recent lawsuit demonstrates that clearly. California home care franchiser Griswold International LLC is being sued by a group of home care workers for $3 million.  The workers’ statement of claim says that they signed a franchise agreement […]

See other news sources publishing this article. BETA | Tags: , , , , ,



Get headlines from Law Firm Newswire sent right to your inbox.

* indicates required