The following is cross-posted from PHIprivacy.net:
In September, I posted an excerpt from a thought-provoking commentary by attorney Benjamin Wright. In discussing a fine levied against Lucile Salter Packard Hospital for late notification under California’s breach notification law, he had written, in part:
The California Legislature made clear it wants notices to be issued quickly. However, the law should not be interpreted to require rash decision-making. If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law. That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution.
At the time, I had a number of questions about his analysis and commentary, and I’m delighted to say that Ben recently got in touch with me and offered to expand on his previous article. The following, then, is a guest article and commentary by Benjamin Wright:
On this blog, Dissent published comments about my observations regarding the Lucile Packard Children’s Hospital data breach case in California. I made a constitutional argument that data breach investigations should not be unduly rushed. Dissent expressed confusion about my argument, and has invited me to explain myself here.
I stress that I am not passing judgement on the decisions in this particular LPCH case because I don’t know enough of the facts. But I am using the case to make a general point about law and the investigation of suspected data breaches.
Background: In the LPCH case one employee alleged that another employee walked out the door with a computer containing sensitive data. The alleged perpetrator otherwise was authorized to use the computer in question and to access the data. LPCH conducted an investigation, which included asking police to attempt to recover the computer. After determining that the computer was unrecoverable, LPCH sent out breach notices on February 19, 2010. The California Department of Public Health said the notices should have gone out more quickly, and therefore fined LPCH. CDPH says that as of February 2, 2010, LPCH had “confirmed” the breach.
On my blog, I argued the California breach notice law should not be interpreted to require hair-trigger determinations by data holders on the question of whether a breach has occurred. In other words I argued that a rush to judgment is bad law and unconstitutional.
This is what I mean. Just because a data holder suspects that data were accessed wrongfully does not mean that in fact the data were accessed wrongfully. When a suspicion exists, an investigation is required. But the investigation should not be a pell-mell rush to a conclusion, one-way or another, on whether a breach did occur.
In my experience, the facts that surface in a data security investigation are often voluminous, messy and confusing. For example, just because one employee makes an allegation about another employee, it does not mean the allegation is true. Getting to the truth often requires time, deliberation, and judgment.
Data breach investigations often raise difficult issues of evidence. Rarely does the investigation possess ironclad evidence that a breach has occurred with respect to any particular unit of data. What do I mean by “ironclad” evidence? An example of “ironclad” evidence would be a formal, written affidavit, signed and notarized, stating as follows: “I am Jane Smith. I hereby attest that on June 14, 2010, approximately 2pm Pacific Time, I used a computer on the premises of ABC Hospital and that computer did not belong to me, and I had no right to use the computer in the way I used it. I used that computer to view the name, social security number and postal address of patient John Doe, and I used the computer to exercise dominion over the aforementioned data. I further attest that at the stated time I was not authorized by ABC Hospital, John Doe or any other legal authority to view and exercise dominion over that information.” Now that’s strong evidence for supporting the conclusion that a breach has occurred.
In real-world cases, however, the evidence is often voluminous, complex, contradictory and sketchy. It includes flimsy things like allegations by employees who may have conflicts of interest or are otherwise fallible. It includes computer logs that show only little snippets of information that can be interpreted in numerous different ways.
To weigh imperfect evidence often requires careful thought, consultation with outside experts, collection of additional evidence that’s hard to get, and a good night’s sleep (and possibly more than one night of sleep). I caution against data holders like LPCH making snap, irrational decisions about whether a breach has or has not happened.
In the LPCH case, the hospital maintains that it sent out notices promptly after it had rationally – based on careful, logical review of all the evidence — concluded that a breach had occurred. CDPH, on the other hand, contends that LPCH should have concluded that a breach had occurred much earlier. I don’t know who is right in this case.
But here’s my point on constitutionality: The constitution guarantees “due process of law.” That means laws cannot work or be enforced in arbitrary, capricious or unreasonable ways. In other words, public officials like CDPH cannot impose fines on a whim or just because they want to “send a message” to all those institutions that hold data.
Further, our legal system has long recognized that the evaluation of evidence takes time. That’s why juries are sent for hours, days or even weeks to deliberate in jury rooms, and why the juries are periodically released so jurors can go home, rest and sleep, even while the jury is still in service. A jury cannot rationally reach a conclusion that a defendant is “guilty” until the jury has deliberated.
The California breach notice law requires the sending of notice after it is known that the breach occurred. To “know that a breach has occurred” is to reach a legal conclusion (like the conclusion that a defendant in a criminal trial is “guilty”).
But one cannot know or confirm a legal conclusion involving complex facts until after a rational, deliberate review of the facts. If an official like CDPH interprets the law so that a data holder is deemed to know or confirm something before it’s had a due opportunity to investigate and think carefully about the facts, then the official is acting arbitrarily, capriciously and unreasonably.
Bottom line: Competent investigations take time. Officials like CDPH should not pressure data holders to engage in hasty, incomplete investigations.
Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS).