Requesting Explanation on Maine’s Data Breach Notification Law
Blimey! Trying to interpret a breach notification statute is no walk in the park, is it?
Picture this – you stumble across a security breach, and you need to notify people about it. Fair enough, right? You turn to Chapter 210-B §1348 on security breach notice requirements and you’re confronted with this jumble of words. They say you’re supposed to notify people “as expediently as possible and without unreasonable delay”. But wait, there’s more – this is only when you’re in line with law enforcement needs or determining the scale of the breach.
Still with us? Right, because here comes the twist. You’ve got 30 days from identifying the breach and its scope to notify folks about it unless law enforcement have put a spanner in the works. Now, they’re up to their eyeballs in all of this stuff, but who knows? Maybe they could slow things down.
Questions over tea and scones seem more enjoyable than this, don’t they? What does identifying or determining the breach’s scope even mean? Does it mean that if it takes you the better part of a year, then you can just say you only just uncovered the breach after your mega investigation?
Or does the fun and games start when you first realise that personal information has been nabbed, even if you aren’t sure how many people or who might be affected? It’s worse than the plot of a bloody mystery novel.
Now, let’s take those notification letters from healthcare organisations. They’re full of phrases like “breach discovered” with dates that wouldn’t be caught within a country mile of how HIPAA and HITECH define “discovered”. It feels like they’re pulling the wool over the patients’ eyes about when they’ve stumbled upon a breach.
It’s a right head-scratcher – are they following Maine’s statue to the letter or are they bending the rules?
Now get this, Danna Hayes – we’ll call her Special Assistant to the AG Office of the Maine Attorney General for the day – came back with a bit of a ‘how’s your father’. She kindly reminded us that the Attorney General can’t dish out legal advice to the public. Apparently, making sense of the breach notification law depends on the specifics of the situation which they would need to investigate. But here’s the kicker – they can’t scrutinise every breach notification that lands on their desks, even though they publish these as a service for consumers and the public.
So here’s the million-pound question: if even the authorities can’t crack what this statue means for when a breach should be reported, how on earth are organisations supposed to stay on the straight and narrow? Bit of a poser innit?
by Parker Bytes