Come on Main, what the hell are you guys doing?

In an opinion type piece where someone wanted clarification of breach notification laws, Databreaches got a pretty screwed up answer in my opinion.

Thank you for your inquiry. The Attorney General is unable to provide legal advice to the public and our interpretation of requirements of the breach notification law is very dependent on specific facts and circumstances, which we would have to investigate to ascertain compliance. We don’t and couldn’t investigate every breach notice that is filed with our office. The database is published as a public service to consumers and the public.

Here is the question which yielded this response above.

I am not sure I really understand a provision in Chapter 210-B §1348. Security breach notice requirements, and am seeking clarification.

In Paragraph 1, it says: “The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system. If there is no delay of notification due to law enforcement investigation pursuant to subsection 3, the notices must be made no more than 30 days after the person identified in paragraph A or B becomes aware of a breach of security and identifies its scope.‘

I need clarification on what it means to identify or determine the scope of the breach. Can an entity take 8 months to figure out everyone they need to notify and say that the breach was only “discovered” after they completed that full investigation? Or is the breach discovered for purposes of reporting to the regulator when the entity knows personal information has been accessed or acquired, even if they are not yet sure exactly how many people and who had their data acquired?

I read a lot of notification letters appended to submissions to your site from health care entities that report a “breach discovered” date that is not in compliance with how HIPAA and HITECH define “discovered.” Their letters are pretty much deceiving patients about when a breach was “discovered,” and I wonder if they are in compliance with Maine’s statute or if they are also violating Maine’s statute.

Seeking clarification on Maine’s data breach notification statute is the article from Databreaches. Have fun parcing this one out!