« July 2010 | Main | October 2010 »

September 2010

09/21/2010

Data Breach Investigation | Constitutionality | Arbitrary, Capricious?

When is Data Loss Known or Discovered?


The investigation of an apparent data security breach requires analysis, diligence and judgment.  Sometimes a snap conclusion that a breach has occurred is not justified by the facts of the case, after they have been weighed fully.


The timeline of a breach investigation is the subject of a dispute between Lucile Packard Children’s Hospital and the California Department of Public Health.   CDPH imposed a $250,000 fine on the hospital for waiting too long before it notified patients of a data breach.  A misbehaving employee stole a PC (containing patient information), which the employee had been authorized to use.
California medical breach notice law requires the hospital to notify patients within five days after discovering the breach.  CDPH maintains:  "Based on interviews and record review, the hospital failed to notify a privacy breach of patients’ protected health information (PHI) to 532 patients within five days after the hospital confirmed the breach on 2/1/10. The hospital failed to send notifications to the patients until 2/19/10."

The hospital is appealing CDPH’s decision.   In its rebuttal, the hospital says:


"Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home." [emphasis added]


Further, the hospital says, "The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly. As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients."

So CDPH contents the breach was "confirmed" February 1.   But, apparently, the hospital believed it could not confirm until after a police action failed to recover the computer.   Meanwhile, the hospital may have felt that the likelihood of data abuse was low, perhaps because (a) it was not even sure the employee took the computer (maybe it was just misplaced), (b) the employee was under legal obligation to protect the data and/or (c) the hospital had no evidence to suggest the employee’s purpose was to abuse data.


I don't know all of the facts of this case and therefore I will not pass judgment on either CDPH or the hospital.

Yet I will say that it is irresponsible for data holders to issue breach notices before they have concluded a true breach has occurred.   Unnecessary notices inflict angst and confusion on data subjects.  A mere security vulnerability is not a breach.

To distinguish between a vulnerability and a breach often requires deliberation.   Deliberation can require painstaking collection of facts, coordination with multiple parties such as law enforcement and careful review of the facts, often with input from multiple learned parties, such as outside experts.


The California Legislature made clear it wants notices to be issued quickly.  However, the law should not be interpreted to require rash decision-making.   If the law is interpreted as a hair-trigger requirement for notices before a competent investigation can be concluded, then I question the constitutionality of the law.  That interpretation would render the law arbitrary, capricious, unreasonable, in conflict with the need for due process under the US Constitution.

Update:  I have elaborated on the argument I made here.

Mr. Wright teaches computer investigations law at the SANS Institute.

Posted at 12:42 PM in breach, data-holder reduces risk, regulatory authorities | | Comments (0) | TrackBack (0)

Tags: hospital

09/01/2010

How to Conduct a Cyber Investigation

Collecting Evidence in Sequence


In the digital realm, an investigator must be careful lest her work run afoul of the myriad rules and laws that restrain her.  She must be mindful of ethics, and laws on privacy, contract,
property and trespass (e.g., a web site owner might post terms that forbid her from entering the site).   


In e-discovery if her demands for records from another party are too onerous, the demand may be quashed.  (See for example Mirbeau of Geneva Lake, LLC v. City of Lake Geneva.)


So what is a prudent, responsible investigator to do?

Rational Behavior is Preferred


The investigator can often strengthen her probes and requests by ensuring that she systematically develops and collects evidence in a sequential order, and that each step she takes is rationally based on evidence she already possesses.  For instance, before an HR investigator peeks into an employee’s email records, the investigator is wise to document (1) that she has reason to suspect the employee’s records will contain something the investigator needs to see (such as harassing emails), and (2) the evidentiary basis for that suspicion.  

Good records by the investigator will show that she gathered preliminary evidence and deliberated logically before she barged into another person’s records or property.

Canadian Privacy Case Demonstrates the Principle

By way of example, see the decision by the Office of the Privacy Commissioner of Canada (PIPEDA Case Summary #2009-019) involving an investigation by an employer into whether an employee had violated his employment contract.   Somewhat like the laws of some European countries, privacy law in Canada (PIPEDA) generally restrains an employer from reading employee email stored on the employer’s computers.  

However, in this case the Privacy Commissioner observed that PIPEDA provides that "an organization may collect personal information without the knowledge or consent of the individual only if it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province."   The facts in this case showed that the employer conducted – and documented – a predicate investigation before it gazed into the employee’s emails.  The Commissioner found that before accessing the emails, the employer possessed evidence showing that this employee was violating his employment agreement and that information about this violation would likely appear in the employee’s email records.  Accordingly, the Commissioner concluded that the employer was justified when it decided to open the employee’s email records and the employer acted in compliance with PIPEDA.

Principle Applies to Many Kinds of Investigations

Just as an evidence-based style of investigation will help support an internal HR investigation, it will also help support e-discovery in litigation.  Normally when a requesting litigant demands computer records, a court is reluctant to force the responding litigant to search through them because searching is expensive and disruptive.  However, the court is more likely to require the search if the requester has a logical, evidence-based reason to believe that the cost of the search will be proportionate to the case at hand will likely reveal relevant information.  

This principle of e-discovery places a burden on the requesting litigant.  The litigant needs to possess and understand predicate evidence before it asks for more evidence.  

Attorney Wright trains cyber-investigators at the SANS Institute.

Read more on law of trespass in the data age.

 

 

Posted at 06:18 PM in ethics, litigation, SANS Institute | | Comments (0)

Tags: privacy investigation

Wright's Online SANS Education

My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

IT Administrators

Custom Professional Training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

SANS Quote

  • Professional Education
    "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

About

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Twitter

  • Follow benjaminwright on Twitter

Become a Fan

Benjamin Wright
Benjamin Wright

Find More on This Blog

Subscribe to this blog's feed