Indiana Attorney General Greg Zoeller announced on October 29, 2010, that he has sued health insurer WellPoint, Inc. for alleged failure to provide timely notification of a data breach. Indiana’s breach notification statute requires a business that has experienced a data breach to notify affected individuals and the state attorney general “without unreasonable delay.” The state alleges that WellPoint was notified of the security breach on February 22, 2010, and again on March 8, 2010, but did not begin notifying customers of the breach until June 18, 2010. A delay is considered reasonable if it is “(1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will: (A) impede a criminal or civil investigation; or (B) jeopardize national security.” Ind. Code. § 24-4.9-3-3(a). WellPoint has not yet filed an answer to the complaint.
The state is reportedly seeking damages of $300,000. This incident underscores the importance of rapidly investigating and addressing potential data breaches. Many jurisdictions’ breach notification statutes require notification “without unreasonable delay” or have words of similar effect, and some jurisdictions provide hard deadlines. For example, Puerto Rico’s breach notification statute requires notification of certain breaches within 10 days of discovery.