Data Breach Investigation | Due Process of Law
The following is cross-posted from PHIprivacy.net:
In September, I posted an excerpt from a thought-provoking commentary by attorney Benjamin Wright. In discussing a fine levied against Lucile Salter Packard Hospital for late notification under California’s breach notification law, he had written, in part:
The California Legislature made clear it wants notices to be issued quickly. However, the law should not be interpreted to require rash decision-making. If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law. That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution.
At the time, I had a number of questions about his analysis and commentary, and I’m delighted to say that Ben recently got in touch with me and offered to expand on his previous article. The following, then, is a guest article and commentary by Benjamin Wright:
On this blog, Dissent published comments about my observations regarding the Lucile Packard Children’s Hospital data breach case in California. I made a constitutional argument that data breach investigations should not be unduly rushed. Dissent expressed confusion about my argument, and has invited me to explain myself here.
I stress that I am not passing judgement on the decisions in this particular LPCH case because I don’t know enough of the facts. But I am using the case to make a general point about law and the investigation of suspected data breaches.
Background: In the LPCH case one employee alleged that another employee walked out the door with a computer containing sensitive data. The alleged perpetrator otherwise was authorized to use the computer in question and to access the data. LPCH conducted an investigation, which included asking police to attempt to recover the computer. After determining that the computer was unrecoverable, LPCH sent out breach notices on February 19, 2010. The California Department of Public Health said the notices should have gone out more quickly, and therefore fined LPCH. CDPH says that as of February 2, 2010, LPCH had “confirmed” the breach.
On my blog, I argued the California breach notice law should not be interpreted to require hair-trigger determinations by data holders on the question of whether a breach has occurred. In other words I argued that a rush to judgment is bad law and unconstitutional.
This is what I mean. Just because a data holder suspects that data were accessed wrongfully does not mean that in fact the data were accessed wrongfully. When a suspicion exists, an investigation is required. But the investigation should not be a pell-mell rush to a conclusion, one-way or another, on whether a breach did occur.
In my experience, the facts that surface in a data security investigation are often voluminous, messy and confusing. For example, just because one employee makes an allegation about another employee, it does not mean the allegation is true. Getting to the truth often requires time, deliberation, and judgment.
Data breach investigations often raise difficult issues of evidence. Rarely does the investigation possess ironclad evidence that a breach has occurred with respect to any particular unit of data. What do I mean by “ironclad” evidence? An example of “ironclad” evidence would be a formal, written affidavit, signed and notarized, stating as follows: “I am Jane Smith. I hereby attest that on June 14, 2010, approximately 2pm Pacific Time, I used a computer on the premises of ABC Hospital and that computer did not belong to me, and I had no right to use the computer in the way I used it. I used that computer to view the name, social security number and postal address of patient John Doe, and I used the computer to exercise dominion over the aforementioned data. I further attest that at the stated time I was not authorized by ABC Hospital, John Doe or any other legal authority to view and exercise dominion over that information.” Now that’s strong evidence for supporting the conclusion that a breach has occurred.
In real-world cases, however, the evidence is often voluminous, complex, contradictory and sketchy. It includes flimsy things like allegations by employees who may have conflicts of interest or are otherwise fallible. It includes computer logs that show only little snippets of information that can be interpreted in numerous different ways.
To weigh imperfect evidence often requires careful thought, consultation with outside experts, collection of additional evidence that’s hard to get, and a good night’s sleep (and possibly more than one night of sleep). I caution against data holders like LPCH making snap, irrational decisions about whether a breach has or has not happened.
In the LPCH case, the hospital maintains that it sent out notices promptly after it had rationally – based on careful, logical review of all the evidence — concluded that a breach had occurred. CDPH, on the other hand, contends that LPCH should have concluded that a breach had occurred much earlier. I don’t know who is right in this case.
But here’s my point on constitutionality: The constitution guarantees “due process of law.” That means laws cannot work or be enforced in arbitrary, capricious or unreasonable ways. In other words, public officials like CDPH cannot impose fines on a whim or just because they want to “send a message” to all those institutions that hold data.
Further, our legal system has long recognized that the evaluation of evidence takes time. That’s why juries are sent for hours, days or even weeks to deliberate in jury rooms, and why the juries are periodically released so jurors can go home, rest and sleep, even while the jury is still in service. A jury cannot rationally reach a conclusion that a defendant is “guilty” until the jury has deliberated.
The California breach notice law requires the sending of notice after it is known that the breach occurred. To “know that a breach has occurred” is to reach a legal conclusion (like the conclusion that a defendant in a criminal trial is “guilty”).
But one cannot know or confirm a legal conclusion involving complex facts until after a rational, deliberate review of the facts. If an official like CDPH interprets the law so that a data holder is deemed to know or confirm something before it’s had a due opportunity to investigate and think carefully about the facts, then the official is acting arbitrarily, capriciously and unreasonably.
Bottom line: Competent investigations take time. Officials like CDPH should not pressure data holders to engage in hasty, incomplete investigations.
Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS).
Lazzarotti - December 4, 2010
Mr. Wright raises a particularly important concern of many companies faced with responding to a data incident that may or may not constitute a “breach” under the applicable law. The California law referenced contains an express 5 day requirement, however, all other data breach notification laws in the United States essentially require that notice be provided without unreasonable delay. The good news is that some states expressly permit delay to secure the entity’s information systems, investigate the breach and coordinate with a police investigation. The bad news is that some could be interpreted as requiring notice in fewer than five days if it is determined a longer delay would have been unreasonable under the circumstances. What to do . . . have a plan.
In my experience, federal and state regulators have generally recognized the reasonablness of certain delays such as those related to the need to assess the situation and some of the reasons Mr. Wright noted above. However, when facing enforcement from agencies like the California Department of Public Health, which has handed out penalties approaching $1.5 million for data privacy issues in the last 6 months of 2010 alone, the entity may need to consider a different approach.
Of course, as Mr. Wright points out, there may not even be a breach. Even where it is clear from the outset that the company has a reportable breach, there are some prudent steps companies should be taking prior to notification such as (i) securing its systems, (ii) determining the scope of the breach, (iii) coordinating with vendors who also may be affected, (iv) reaching out to law enforcement, and (v) locating and securing the services of a credit or other monitoring service. This could easily could take longer than 5 days.
Where it is clear a company has a reportable breach, and is facing the significant penalties of the kind meted out by CDPH, they may want to consider sending an initial notice to affected persons, and follow up with additional communications as necessary to clarify the situation or offer monitoring services. But, of course, there are problems with this approach too. Do we have the right address information? Will we be confusing people who may have received a number of these letters? Will an incomplete, albeit timely, communication cause unnecessary stress for the recipient?
Mr. Wright’s constitutional and other arguments may have merit and ought to be pursued to try and shape the law so that it is more reasonable and approriate. However, such efforts take time and organizations need to think through now how they will respond to a data breach. Particularly for reasons of timing, companies need to have thought through and put in writing a data breach response plan. Doing so will help the company respond sooner and avoid the kinds of penalties discussed above. Training employees to recognize and report potential breaches also is critical.
By the way, HIPAA and the Massachusetts data security regulations require such a written plan and training . . .