California Attorney General Kamala Harris has sued the Kaiser Foundation Health Plan for failing to promptly notify employees about a 2011 data breach.  California’s breach notice law requires breaches of personal information to be disclosed “in the most expedient time possible and without unreasonable delay.” Harris alleges that Kaiser violated this requirement after taking too long to notify employees that an unencrypted hard drive containing Social Security numbers and other personal information had been purchased at a thrift store in Santa Cruz.  Kaiser allegedly learned of the incident in late September 2011, finished an “initial forensic investigation” on December 28, 2011, and began notifying affected employees on March 19, 2012.  Harris contends that “Kaiser could have notified individuals it had identified as affected by the breach as early as December 2011, but did not commence notice until on or about March 19, 2012.”

Perhaps more notably, Harris also alleges Kaiser violated a California law that prohibits “publicly post[ing] or . . . display[ing] in any manner an individual’s social security number.” The law defines “publicly post” or “publicly display” broadly to mean “intentionally communicate or otherwise make available to the general public.” The fact that the hard drive was found in a thrift store and, as Attorney General Harris put it, “was purchased by a member of the public” may explain the decision to sue Kaiser under this law.  But the complaint also could be read more broadly as an attempt to treat the loss of an unencrypted hard drive as a “public posting” of the Social Security numbers.  The latter would represent a novel reading of the law, which has analogues in more than two dozen other states.