Q: Justification of non-disclosure by hospital of security breach for 2.5 years
How hospital can justify that disclosure and notification of security breach was not performed for 2.5 year since security breach occurre, regardless perfect processes, and without condoning wrongdoing?
Pursuant CCP sections 1798.29 and 1798.82 et.sec. expedient disclosure required.
Lawyers, want to be a Justia Connect Pro too? Learn more ›
- California
- (916) 704-3009
- View Profile
- Answered
A:
Under California law (Civil Code sections 1798.29 and 1798.82), a business or state agency that owns or licenses computerized data including personal information must disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay.
In the scenario you described, where a hospital failed to disclose and notify individuals of a security breach for 2.5 years, the hospital would likely face significant challenges in justifying this delay. However, the hospital may attempt to argue the following points in its defense:
1. Ongoing investigation: The hospital could claim that the delay was due to a prolonged investigation to determine the scope and nature of the breach, and to identify the individuals affected. However, this argument may not be sufficient if the investigation took an unreasonably long time.
2. Lack of awareness: The hospital might argue that it was not aware of the full extent of the breach or that the breach had occurred at all until much later. However, this argument may not be convincing, as the law requires disclosure following discovery or notification of the breach.
3. Prevention of further harm: The hospital could try to justify the delay by claiming that immediate disclosure would have hindered efforts to contain the breach or prevent further unauthorized access to the system. However, this argument would need to be supported by strong evidence.
4. Cooperation with law enforcement: If the hospital was working with law enforcement agencies in an ongoing criminal investigation related to the breach, it might argue that the delay was necessary to avoid compromising the investigation. However, the law still requires prompt disclosure unless law enforcement determines that disclosure would impede an active investigation.
Ultimately, while the hospital may attempt to provide justifications for the delay, it would likely face an uphill battle in defending its actions given the clear requirements of California law. The hospital would need to provide compelling evidence to support any claims of reasonableness for the delay. It is likely that the hospital would face regulatory scrutiny, potential fines, and possible legal action from affected individuals for failing to promptly disclose the breach.
Justia Ask a Lawyer is a forum for consumers to get answers to basic legal questions. Any information sent through Justia Ask a Lawyer is not secure and is done so on a non-confidential basis only.
The use of this website to ask questions or receive answers does not create an attorney–client relationship between you and Justia, or between you and any attorney who receives your information or responds to your questions, nor is it intended to create such a relationship. Additionally, no responses on this forum constitute legal advice, which must be tailored to the specific circumstances of each case. You should not act upon information provided in Justia Ask a Lawyer without seeking professional counsel from an attorney admitted or authorized to practice in your jurisdiction. Justia assumes no responsibility to any person who relies on information contained on or received through this site and disclaims all liability in respect to such information.
Justia cannot guarantee that the information on this website (including any legal information provided by an attorney through this service) is accurate, complete, or up-to-date. While we intend to make every attempt to keep the information on this site current, the owners of and contributors to this site make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained in or linked to from this site.
