Calif. AG Sues Kaiser For Waiting Months To Warn Customers Of Data Breach

In a California data breach case that could have national implications, the state’s attorney general is suing Kaiser Foundation Health Plan for letting five to six months pass before it alerted consumers that a hard drive containing their private information – including social security numbers and addresses – had been sold to a member of the public at a thrift store. California law requires businesses to inform customers of security breaches “without unreasonable delay,” which per recommendation of the state’s Office of Privacy Protection means within 10 business days. Kaiser claims that its timing was not unreasonable because it was taking steps to determine the scope of the breach. A potential headache for companies: The possibility that “staggered” notification may be required when investigations are not yet concluded.