When is Data Loss Known or Discovered?
The investigation of an apparent data security breach requires analysis, diligence and judgment. Sometimes a snap conclusion that a breach has occurred is not justified by the facts of the case, after they have been weighed fully.
The timeline of a breach investigation is the subject of a dispute between Lucile Packard Children’s Hospital and the California Department of Public Health. CDPH imposed a $250,000 fine on the hospital for waiting too long before it notified patients of a data breach. A misbehaving employee stole a PC (containing patient information), which the employee had been authorized to use.
California medical breach notice law requires the hospital to notify patients within five days after discovering the breach. CDPH maintains: "Based on interviews and record review, the hospital failed to notify a privacy breach of patients’ protected health information (PHI) to 532 patients within five days after the hospital confirmed the breach on 2/1/10. The hospital failed to send notifications to the patients until 2/19/10."
The hospital is appealing CDPH’s decision. In its rebuttal, the hospital says:
"Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home." [emphasis added]
Further, the hospital says, "The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly. As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients."
So CDPH contents the breach was "confirmed" February 1. But, apparently, the hospital believed it could not confirm until after a police action failed to recover the computer. Meanwhile, the hospital may have felt that the likelihood of data abuse was low, perhaps because (a) it was not even sure the employee took the computer (maybe it was just misplaced), (b) the employee was under legal obligation to protect the data and/or (c) the hospital had no evidence to suggest the employee’s purpose was to abuse data.
I don't know all of the facts of this case and therefore I will not pass judgment on either CDPH or the hospital.
Yet I will say that it is irresponsible for data holders to issue breach notices before they have concluded a true breach has occurred. Unnecessary notices inflict angst and confusion on data subjects. A mere security vulnerability is not a breach.
To distinguish between a vulnerability and a breach often requires deliberation. Deliberation can require painstaking collection of facts, coordination with multiple parties such as law enforcement and careful review of the facts, often with input from multiple learned parties, such as outside experts.
The California Legislature made clear it wants notices to be issued quickly. However, the law should not be interpreted to require rash decision-making. If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law. That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution.
Update: I have elaborated on the argument I made here.
Mr. Wright teaches computer investigations law at the SANS Institute.