Privacy Enforcement Actions
Kaiser Foundation Health Plan, Inc.
Kaiser agreed to a stipulated final judgment after it delayed notifying its employees after an unencrypted USB drive was discovered at a Santa Cruz thrift store that contained over 20,000 employee records. Kaiser paid $150,000 in penalties and attorneys’ fees, and agreed to comply with California’s data breach notification law in the future, provide notification of any future breach on a rolling basis, and implement additional training regarding the sensitive nature of employee records.
Citibank agreed to stipulated final judgment arising out a breach of its Citibank Online website via a known technical vulnerability that affected over 80,000 California account holders. Citibank paid $420,000 in penalties and attorneys’ fees to California and $55,000 to the Connecticut Attorney General. Citibank also agreed to improve their security procedures, conduct an independent audit of Account Online, and provide credit monitoring for affected individuals for two years.
Anthem Blue Cross
Anthem agreed to a stipulated final judgment as a result of it printing Social Security Numbers on mailings to its customers that were visible on the envelope. Anthem paid $150,000 in penalties and attorneys’ fees and agreed to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates.
Privacy Amicus Filings
Fraley v. Facebook, Inc.
The Attorney General filed a brief for the State of California as amicus curiae in support of neither party, in Fraley v. Facebook on appeal from the U.S. District Court for the Northern District of California, arguing that California law protecting publicity rights of minors remained valid and enforceable.