Howard Anderson writes:
My fingers are crossed that the final version of the federal breach notification rule greatly clarifies when a breach has to be reported to the individuals affected as well as federal authorities.
I hope the final version states in the simplest possible terms that the federal law supersedes state laws, unless the state laws have tougher requirements.
[…]
Regulators need to make it easier for an organization to figure out how to comply with the rule. Spell out when a breach needs to be reported. Spell out when federal regulations prevail over state regulations. Remove any room for interpretation. Write the rule in clear enough language that an organization doesn’t need to hire a lawyer to decipher it.
Anderson discusses the confusion in the current controversy about whether South Shore Hospital is required to notify individuals. The federal regulations suggest that they do — if you remember that the backup tapes were not encrypted — but the federal regulations also have a “risk of harm” standard that the hospital said it applied. Massachusetts Attorney General Coakley thinks that SSH has to notify individuals under the federal regulations and HHS won’t comment.
How can we have regulations that reasonably intelligent people can all read and all come to different conclusions when applying to the same situation? I totally agree with Anderson that we need a simple rule with no wiggle room.
Read more on GovInfoSecurity.