DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Data Breach Investigation | Due Process of Law

Posted on November 30, 2010 by Dissent

In September, I posted an excerpt from a thought-provoking commentary by attorney Benjamin Wright.  In discussing a fine levied against Lucile Salter Packard Hospital for late notification under California’s breach notification law, he had written, in part:

The California Legislature made clear it wants notices to be issued quickly. However, the law should not be interpreted to require rash decision-making. If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law. That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution.

At the time, I had a number of questions about his analysis and commentary, and I’m delighted to say that Ben recently got in touch with me and offered to expand on his previous article. The following, then, is a guest article and commentary by Benjamin Wright:

*****

On this blog, Dissent published comments about my observations regarding the Lucile Packard Children’s Hospital data breach case in California. I made a constitutional argument that data breach investigations should not be unduly rushed. Dissent expressed confusion about my argument, and has invited me to explain myself here.

I stress that I am not passing judgement on the decisions in this particular LPCH case because I don’t know enough of the facts. But I am using the case to make a general point about law and the investigation of suspected data breaches.

Background:   In the LPCH case one employee alleged that another employee walked out the door with a computer containing sensitive data. The alleged perpetrator otherwise was authorized to use the computer in question and to access the data. LPCH conducted an investigation, which included asking police to attempt to recover the computer. After determining that the computer was unrecoverable, LPCH sent out breach notices on February 19, 2010. The California Department of Public Health said the notices should have gone out more quickly, and therefore fined LPCH. CDPH says that as of February 2, 2010, LPCH had “confirmed” the breach.

On my blog, I argued the California breach notice law should not be interpreted to require hair-trigger determinations by data holders on the question of whether a breach has occurred. In other words I argued that a rush to judgment is bad law and unconstitutional.

This is what I mean. Just because a data holder suspects that data were accessed wrongfully does not mean that in fact the data were accessed wrongfully. When a suspicion exists, an investigation is required. But the investigation should not be a pell-mell rush to a conclusion, one-way or another, on whether a breach did occur.

In my experience, the facts that surface in a data security investigation are often voluminous, messy and confusing. For example, just because one employee makes an allegation about another employee, it does not mean the allegation is true. Getting to the truth often requires time, deliberation, and judgment.

Data breach investigations often raise difficult issues of evidence. Rarely does the investigation possess ironclad evidence that a breach has occurred with respect to any particular unit of data. What do I mean by “ironclad” evidence? An example of “ironclad” evidence would be a formal, written affidavit, signed and notarized, stating as follows: “I am Jane Smith. I hereby attest that on June 14, 2010, approximately 2pm Pacific Time, I used a computer on the premises of ABC Hospital and that computer did not belong to me, and I had no right to use the computer in the way I used it. I used that computer to view the name, social security number and postal address of patient John Doe, and I used the computer to exercise dominion over the aforementioned data. I further attest that at the stated time I was not authorized by ABC Hospital, John Doe or any other legal authority to view and exercise dominion over that information.” Now that’s strong evidence for supporting the conclusion that a breach has occurred.

In real-world cases, however, the evidence is often voluminous, complex, contradictory and sketchy. It includes flimsy things like allegations by employees who may have conflicts of interest or are otherwise fallible. It includes computer logs that show only little snippets of information that can be interpreted in numerous different ways.

To weigh imperfect evidence often requires careful thought, consultation with outside experts, collection of additional evidence that’s hard to get, and a good night’s sleep (and possibly more than one night of sleep). I caution against data holders like LPCH making snap, irrational decisions about whether a breach has or has not happened.

In the LPCH case, the hospital maintains that it sent out notices promptly after it had rationally – based on careful, logical review of all the evidence — concluded that a breach had occurred. CDPH, on the other hand, contends that LPCH should have concluded that a breach had occurred much earlier. I don’t know who is right in this case.

But here’s my point on constitutionality: The constitution guarantees “due process of law.” That means laws cannot work or be enforced in arbitrary, capricious or unreasonable ways. In other words, public officials like CDPH cannot impose fines on a whim or just because they want to “send a message” to all those institutions that hold data.

Further, our legal system has long recognized that the evaluation of evidence takes time. That’s why juries are sent for hours, days or even weeks to deliberate in jury rooms, and why the juries are periodically released so jurors can go home, rest and sleep, even while the jury is still in service. A jury cannot rationally reach a conclusion that a defendant is “guilty” until the jury has deliberated.

The California breach notice law requires the sending of notice after it is known that the breach occurred. To “know that a breach has occurred” is to reach a legal conclusion (like the conclusion that a defendant in a criminal trial is “guilty”).

But one cannot know or confirm a legal conclusion involving complex facts until after a rational, deliberate review of the facts. If an official like CDPH interprets the law so that a data holder is deemed to know or confirm something before it’s had a due opportunity to investigate and think carefully about the facts, then the official is acting arbitrarily, capriciously and unreasonably.

Bottom line: Competent investigations take time. Officials like CDPH should not pressure data holders to engage in hasty, incomplete investigations.

–Benjamin Wright
http://legal-beagle.typepad.com

—-
Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS).

Category: Health Data

Post navigation

← Will any loss of privacy from digitizing health care will be more than compensated for by the welfare gains from increased efficiency?
Data Breach Investigation | Due Process of Law →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.