If you can’t get an interpretation of a state breach notification statute from the state’s attorney general, where can you get it?
DataBreaches recently wrote to the Maine Attorney General’s Office:
I am not sure I really understand a provision in Chapter 210-B §1348. Security breach notice requirements, and am seeking clarification.
In Paragraph 1, it says: “The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system. If there is no delay of notification due to law enforcement investigation pursuant to subsection 3, the notices must be made no more than 30 days after the person identified in paragraph A or B becomes aware of a breach of security and identifies its scope. ‘
I need clarification on what it means to identify or determine the scope of the breach. Can an entity take 8 months to figure out everyone they need to notify and say that the breach was only “discovered” after they completed that full investigation? Or is the breach discovered for purposes of reporting to the regulator when the entity knows personal information has been accessed or acquired, even if they are not yet sure exactly how many people and who had their data acquired?
I read a lot of notification letters appended to submissions to your site from health care entities that report a “breach discovered” date that is not in compliance with how HIPAA and HITECH define “discovered.” Their letters are pretty much deceiving patients about when a breach was “discovered,” and I wonder if they are in compliance with Maine’s statute or if they are also violating Maine’s statute.
Here’s the response from Danna Hayes, J.D., Special Assistant to the AG Office of the Maine Attorney General
Thank you for your inquiry. The Attorney General is unable to provide legal advice to the public and our interpretation of requirements of the breach notification law is very dependent on specific facts and circumstances, which we would have to investigate to ascertain compliance. We don’t and couldn’t investigate every breach notice that is filed with our office. The database is published as a public service to consumers and the public.
If they can’t answer the question about what the statute means in terms of when a breach must be reported by, how can entities be expected to comply with it?