10 Me. Rev. Stat. § 1346 et seq.

L.D. 1671 (signed into law June 10, 2005, Chapter 379)

Effective January 31, 2006

H.P. 672 (signed into law May 19, 2009, Chapter 161)

Effective May 19, 2009

L.D. 696 (signed into law June 28, 2019, Chapter 512)

Effective September 19, 2019

Application. Any individual, or other legal or government entity, or any information broker (a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties) that maintains computerized data that includes PI (collectively, Entity).

Security Breach Definition. An unauthorized acquisition, release, or use of an individual’s computerized data that includes PI that compromises the security, confidentiality, or integrity of PI of the individual maintained by an Entity.

• Good-faith acquisition, release, or use of PI by an employee or agent of an Entity on behalf of the Entity is not a breach of the security of the system if the PI is not used for or subject to further unauthorized disclosure to another person.

Notification Obligation. An Entity shall give notice of the breach to a resident of ME whose PI has been, or is reasonably believed to have been, acquired by an unauthorized person.

• Notification is not required if after conducting a good-faith, reasonable, and prompt investigation, the Entity determines that there is not a reasonable likelihood that the PI has been or will be misused.

Attorney General/State Agency Notification. When notice of a breach of the security of the system is required, the Entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the Department, the state Attorney General.

Notification to Consumer Reporting Agencies. If an Entity must notify more than 1,000 persons at a single time, the Entity shall also notify, without unreasonable delay, the nationwide consumer reporting agencies of the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.

Third-Party Data Notification. A third party that maintains, on behalf of another Entity, computerized data that includes PI that the third party does not own shall notify the owner of the PI of a breach of the security of the system immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Timing of Notification. If notice is not delayed due to law enforcement, notification must be made no more than 30 days after becoming aware of the breach and identifying its scope. The notices must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data in the system. Notification may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.

Personal Information Definition. An individual’s first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

• Social Security number;
• Driver’s license number or state identification card number;
• Account number, credit card number, or debit card number if circumstances exist wherein such a number could be used without additional identifying information, access codes, or passwords;
• Account passwords or PI numbers or other access codes; or
• Any of the above data elements when not in connection with the individual’s first name, or first initial, and last name, if the information compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

PI does not include information from third-party claims databases maintained by property and casualty insurers or publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

Notice Required. Notice may be provided by one of the following methods:

• Written notice; or
• Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-Sign Act).

Substitute Notice Available. If the Entity maintaining PI demonstrates that the cost of providing notice would exceed $5,000, that the affected class of individuals to be notified exceeds 1,000, or that the person maintaining PI does not have sufficient contact information to provide written or electronic notice to those individuals. Substitute notice shall consist of all of the following:

• Email notice, if the Entity has email addresses for the individuals to be notified;
• Conspicuous posting of the notice on the Entity’s website, if the Entity maintains one; and
• Notification to major statewide media.

Penalties. Provides for civil penalties in the amount of $500 per violation, up to a maximum of $2,500 per day; equitable relief; or enjoinment from future violations.

Exception: Compliance with Other Laws.

• An entity that complies with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to Maine or federal law is deemed to be in compliance with the requirements as long as the law, rules, regulations or guidelines provide for notification procedures at least as protective as the notification requirements outlined above.

Other Key Provisions:

• Delay for Law Enforcement. If, after the completion of the required investigation, notification is required under this section, the notification required by this section may be delayed for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.
• Attorney General Enforcement. Enforced by state Attorney General and/or where applicable, the Department of Professional and Financial Regulation Office of Consumer Credit Regulation.