- Due Care and Due Diligence
- Due Diligence — Investigating and understanding the risks a company faces, actions ensuring that policies are properly applied and controls are effective.
- Due Care — Conduct that a reasonable and prudent person with proper training will exercise while looking out for the safety of others. If one uses due care, an injured party cannot prove negligence.
- Criminal law is government vs persons, groups, or organizations violating statutes. Conduct prohibited by the government, protecting safety and well-being of the public. Penalties can be monetary, prison time, or even death. Requires proof "beyond a reasonable doubt", very small chance it's not true.
- Civil law governs private citizens and their disputes. Parties are strictly private entities including individuals, groups, and organizations. Could be a breach of contract with cloud service provider. Penalties are monetary, or court-ordered relief such as property of the performance of activities. Requires "a preponderance of evidence", more likely true than not.
- Tort law —
Part of civil law,
"a body of rights, obligations, and remedies"
setting out reliefs for persons suffering
harm as a result of wrongful acts
The individual who committed the wrongful act
is liable for the costs and consequences of it,
not the victim.
Don't require a prior agreement between
It has 4 objectives:
- Compensate victims for injuries suffered by culpable action or inaction of others
- Shift the cost of such injuries to the person or persons legally responsible for inflicting them
- Discourage injurious, careless, and risky behavior in the future
- Vindicate legal rights and interests that have been compromised or diminished
Criminal vs tort vs civil:
- Criminal: Prosecuting attorney says "He stole PHI and sold it for fraud, extortion, and identity theft."
- Tort: Patient says "The hospital did not exercise Due Care, my PHI was inadequately protected."
- Civil: Hospital says "That company did not process our data correctly, despite our contract."
- The doctrine of the proper law — When there's a conflict of laws, this determines in which jurisdiction the dispute will be heard.
- Restatement (second) conflict of laws — A collation of developments in the common law (that is, judge-made law, not legislation) informing judges and the legal world of updates in the area. It relates to a difference between the laws. This is the basis for deciding which laws are most appropriate when there are conflicting laws in different states. Not which jurisdiction, that's "proper law", but which of several laws that have evolved in parallel.
- Harmonization — Making a single law that replaces a variety of similar but slightly different laws, as in the many national privacy laws in the EU was harmonized into GDPR.
- Agent of the government: When a private citizen performs an act that the government would need a warrant for, such as a search and seizure.
- Warrant: Issued to law enforcement by a judge on presentation of probable cause, enforces the arrest of an individual or seizure of property.
- Subpoena: Issued by an attorney with a material interest in the case. The subpoena is "issued by an officer of the court", must be obeyed like a warrant.
- Doctrine of plain view: In some U.S. states, a law enforcement officer may seize evidence without a search warrant if they can see it without making entry.
- Doctrine of the silver platter:
When you hand over unneeded data in the
production step, too much, and some might
get used against you.
- Policeman pulls you over, sees a bloody ax in the back seat = doctrine of plain view
- Policeman pulls you over, you ask "Don't you want to look in my trunk?" = doctrine of the silver platter
One country transfers a suspected or
convicted criminal to another country,
- Act is a crime punishable in both countries
- Countries have an extradition treaty
- Penalty or punishment is generally equal in both countries
- Harmonization of law: Creating common legal standards across the EU.
- Preparing for legal actions:
- Legal hold: When a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and ensure the preservation of relevant documents.
- E-Discovery: Any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence.
- Spoliation: The intentional or accidental destruction or alteration of data either on “legal hold” or lawfully requested.
- Production: Presenting the requested data to the court or requesting party.
- Operational — in-house
- Civil — two parties settle a disagreement in court, just needs over 50% proof ("preponderance of evidence")
- Criminal — jury or judge must find "beyond a reasonable doubt"
- Police are constrained by the Fourth Amendment, private citizens are not (unless working as agents of the government)
Data Subject / Controller / Processor / Steward / Custodian / Owner
- Data subject is an individual who is the focus of personal data
- Data controller is a person who alone or jointly with others determines the purposes for which and the manner in which any personal data is processed
- Data processor is any person other than an employee of the data controller who processes the data on behalf of the data controller
- Data steward is responsible for data content, context, and associated business rules
- Data custodian is responsible for safe custody, transport, and storage of data, and implementation of business rules
- Data owner holds the legal rights and complete control over a single piece of data elements. The data owner also can define distribution and associated policies
If you have to distinguish between data custodian and data steward, custodians are responsible for technical controls (e.g., CIA, accuracy, audit trails, technical standards), while stewards are responsible for business controls (e.g., requirements, metadata, governance, compliance).
So, at a hospital:
- Data Subject = Patient.
- Data Owner = CEO and/or board of directors. They own the data. They are accountable, legally liable in a breach.
- Data Controller = CEO and/or board of directors when they determining purposes for the data, and how it should be processed and protected.
- Data Steward = Director of medical records. Nurses, physicians, and others enter and maintain data according to the steward's requirements. It's accurate and protected because, of course, they follow the rules.
- Data Custodian = System administrators, network engineers, whoever does physical control of data centers and access points. Custodians do technical controls, stewards do business controls.
- Data Processor = Contractor who transcribes physicians' recorded voice notes, or handles transactions with insurance companies.