Maine Notice of Risk to Personal Data Act
Me. Rev. Stat. tit 10 § 1346, et seq.
SUMMARY:
EFFECTIVE. January 31, 2006
WHO DOES THIS LAW APPLY TO. Any person, business, or government agency that owns, maintains, or licenses computerized data that includes Personal Information.
WHAT IS A BREACH. Unauthorized acquisition, release or use of computerized data that includes Personal Information that compromises the security, integrity or confidentiality of Personal Information maintained by a person, business, or government agency. Good faith acquisition, release or use of Personal Information by an employee or agent for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Account passwords, Personal Information numbers, or other access codes.
-
Any of the above when not connected with the individual’s name if it is sufficient to permit fraud or identity theft.
Personal Information does not include third-party claims databases maintained by property and casualty insurance companies, public information that is lawfully available from Federal, State, or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the state residents affected, and the Attorney General or the appropriate State regulators within the Department of Professional and Financial Regulation (if regulated by this department).
If more than 1,000 residents are involved in a breach, the person, business, or government agency shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)). Such notice shall include the date of the breach, the approximate number of individuals involved, and the date notice was or will be sent.
EXCEPTION. This Section does not apply to the following:
-
Notification is not required if after conducting a good-faith, reasonable, and prompt investigation, the Entity determines that there is not a reasonable likelihood that the personal information has been or will be misused.
-
A person, business, or government agency that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section if the laws or rules are at least as protective as the notice requirements in this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business, or government agency first becomes aware of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay, within 30 days after becoming aware of the breach, consistent with the needs of law enforcement, and any measures necessary to determine the scope of the breach and to restore the reasonable integrity, confidentiality, and security of the data system. Notification may be delayed if it will impede a criminal investigation. In that instance, notification will be made no later than 7 business days following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or government agency can demonstrate that the cost of providing notice will exceed $5,000, the affected class of persons to be notified exceeds 1,000, or the person, business or government agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or government agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, business, or government agency if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or government agency maintains computerized data that includes Personal Information that it does not own, then the person, business or government agency shall notify the owner or licensor of the security breach immediately upon discovery. The person, business or government agency that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The Attorney General shall enforce this law for any person or business not regulated by the Department of Professional and Financial Regulation. Any person, business or government agency which violates this law is subject to the following:
-
A fine of up to $500 per violation by a person or business, not to exceed $2,500 for each day the violation continues (government agencies excluded).
-
A court order prohibiting any further violations by the person, business, or government agency.
The rights and remedies available under this Section are cumulative and do not affect any other rights and remedies available under Federal or State law.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
L.D. 1671 – Signed into law on 6/10/2005, Effective 1/31/2006.
H.P. 672 – Signed into law on 5/19/2009, Effective 5/19/2009.
L.D. 696 – Signed into law on 6/28/2019, Effective 9/19/2019.
For more information, see here: https://legislature.maine.gov/statutes/10/title10sec1346.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.