Maine

10 Me. Rev. Stat. § 1346 et seq.

L.D. 1671 (signed into law June 10, 2005, Chapter 379)

Effective January 31, 2006

H.P. 672 (signed into law May 19, 2009, Chapter 161)

Effective May 19, 2009

Application. Any individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of state government, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities, or any information broker, which means a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties (collectively, Entity) that maintains computerized data that includes PI. The provisions governing maintenance of PI are applicable to any Entity maintaining information on ME residents, whether or not organized or licensed under the laws of ME.

Security Breach Definition. An unauthorized acquisition, release or use of an individual’s computerized data that includes PI that compromises the security, confidentiality or integrity of PI of the individual maintained by an Entity.

Good-faith acquisition, release or use of PI by an employee or agent of an Entity on behalf of the Entity is not a breach of the security of the system if the PI is not used for or subject to further unauthorized disclosure to another person.

Notification Obligation. If an Entity that maintains computerized data that includes PI becomes aware of a breach of the security of the system, the Entity shall give notice of the breach following discovery or notification of the security breach to a resident of ME whose PI has been, or is reasonably believed to have been, acquired by an unauthorized person.

Notification is not required if after conducting a good-faith, reasonable and prompt investigation, the Entity determines that there is not a reasonable likelihood that the PI has been or will be misused.

Attorney General/State Agency Notification. When notice of a breach of the security of the system is required, the Entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the Entity is not regulated by the department, the state AG.

Notification to Consumer Reporting Agencies. If an Entity must notify more than 1,000 persons at a single time, the Entity shall also notify, without unreasonable delay, consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Notification must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.

Third-Party Data Notification. A third party that maintains, on behalf of another Entity, computerized data that includes PI that the third party does not own shall notify the owner of the PI of a breach of the security of the system immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.

Timing of Notification. The notices must be made as expediently as possible and without unreasonable delay, consistent with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data in the system.

Personal Information Definition. An individual’s first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

Social Security Number;
Driver license number or ME identification card number;
Account number or credit card number or debit card number if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords;
Account passwords or PI numbers or other access codes; or
Any of the above data elements when not in connection with the individual’s first name, or first initial, and last name, if the information compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

Notice Required. Notice may be provided by one of the following methods:

Written notice; or
Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).

Substitute Notice Available. If the Entity maintaining PI demonstrates that the cost of providing notice would exceed $5,000, that the affected class of individuals to be notified exceeds 1,000, or that the person maintaining PI does not have sufficient contact information to provide written or electronic notice to those individuals. Substitute notice shall consist of all of the following:

Email notice, if the Entity has email addresses for the individuals to be notified;
Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and
Notification to major statewide media.

Penalties. Provides for civil penalties in the amount of $500 per violation, up to a maximum of $2,500 per day; equitable relief; or enjoinment from future violations.

Other Key Provisions:

Delay for Law Enforcement. If, after the completion of the required investigation, notification is required under this section, the notification required by this section may be delayed for no longer than seven business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.
AG Enforcement. Enforced by state AG and/or where applicable, the Department of Professional and Financial Regulation Office of Consumer Credit Regulation.