Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Maine residents.
Data elements alone are considered personal information if the data would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.
Definition does not include third party claims databases maintained by property and casualty insurers.
“Security Breach” means unauthorized acquisition, release, or use of an individual’s computerized data that contains personal information that compromises the security, confidentiality, or integrity of the personal information.
“Encryption” means the disguising of data using generally accepted practices.
“Information Broker" means a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties.
Covered Entities* / Third Party Recipients
Subject to statute:
Any information broker, individual, legal entity, and private colleges and universities that maintain computerized data that includes personal information.
Third party recipients:
Any third party entity that maintains, on behalf of a covered entity, computerized data that includes personal information that the third party does not own must notify the owner following discovery of a security breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach as expediently as possible and without unreasonable delay, but no later than thirty (30) days after becoming aware of the breach, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification may be delayed for no longer than seven (7) business days after a law enforcement agency authorizes the notification).
- Substitute notice is available by means prescribed in the statute if costs to exceed $5,000, affected class exceeds 1,000 persons, or covered entity does not have sufficient contact information.
- Notice not required if, after a reasonable and prompt investigation, the covered entity determines that there is no reasonable likelihood that personal information has been or will be misused.
Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Exemption for good faith acquisition, release, or use of personal information by employee or agent acting on behalf of covered entity so long as personal information is not used for or subject to further unauthorized disclosure.
Covered entity deemed in compliance with the Maine statute if it complies with other federal or state security breach notification requirements at least as protective as Maine statute.
Notification to Regulator / Waiver
Attorney general or Department of Professional and Financial Regulation must be notified of a security breach.
Information brokers must notify the Department of Professional and Financial Regulation and all other covered entities must notify the attorney general.
A determination of no likelihood of harm:
Does not require notification to attorney general.
Fines of not more than $500 per violation, up to a maximum of $2,500 per each day covered entity is in violation of statute. Equitable relief and enjoinment from future violations are also available.
Private Cause of Action / Enforcement
Private Cause of Action: No.
The statute is enforced by the Department of Professional and Financial Regulation as to licensed data brokers and by the attorney general as to all others.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute