California Attorney General Kamal Harris recently settled claims against Kaiser Permanente under California’s Unfair Competition Law, Cal. Bus. & Prof. Code 17200, alleging that Kaiser waited too long to notify current and former employees of a 2011 data breach. The case has significance because it provides some clarity on what timeframe the AG interprets California’s data security breach notification statute, Cal. Civ. Code Section 1798.82, requires for reporting a breach. Section 1798.82 does not set a specific timeframe for making the required disclosures. Kaiser waited until it forensics investigation of the breach was complete, about four months, before notifying the affected employees. The AG claimed Kaiser should have notified employees soon after identifying them as reasonably possible even if its investigation was ongoing. In addition to the payment of civil penalties and attorney’s fees, Kaiser agreed, as part of the settlement, to make prompt notifications (providing rolling notification after identifying a portion of the total individuals impacted) of future breaches and to take several other steps to improve its data security practices. To read more about the settlement click here.