Like most U.S. states, Maine has a statute that requires investigations and sometimes notice to third parties after data breaches. The statute—the Notice of Risk to Personal Data Act—took effect in 2005. This article summarizes the law.
Overview and Important Definitions
Maine’s Notice of Risk to Personal Data Act is codified at §1346 et seq. of Chapter 210-B of Part 3 of Title 10 of the M.R.S. The statute applies to any company or person who maintains various categories of personal information.
Key defined terms in the Notice of Risk to Personal Data Act include:
Person means any individual, business entity, and Maine state government agency, among others.
Unauthorized Person means a person who lacks another person’s permission to access personal information maintained by that other person or who accesses that same personal information by fraud, deception, or similar practices.
Information Broker means a person whose financially compensated business includes collecting, reporting, and taking other actions about individuals for the main purpose of providing personal information to non-affiliated third parties.
Personal Information means any of the following, except when redacted or encrypted and with other exceptions:
- an individual’s first name or first initial and their last name, when kept in combination with other types of identifying information (e.g., social security number, driver’s license number, various types of payment information, and account passwords); or
- those other types of identifying information when they are stored without name information but still provide enough detail to allow third parties to assume an individual’s identity.
Security Breach or Breach of the Security of the System means an unauthorized acquisition, release, or use of an individual’s computerized data that includes personal information that compromises the security, confidentiality, or integrity of personal information of the individual that a person maintains. The statute treats certain good-faith disclosures as exempt from the definition of security breach, however.
Investigations and Notifications After Security Breaches
Any person who maintains computerized data that includes personal information must conduct a prompt, good-faith, and reasonable investigation when they become aware of a security breach. That investigation must determine the likelihood that personal information has been misused or will be misused. After the initial investigation, the person’s obligations differ depending on whether they are an information broker or any other person:
- An information broker must notify each Maine resident whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. The broker must also notify the Department of Professional and Financial Regulation.
- Any other person must notify each Maine resident whose personal information has been misused or whose misuse is reasonably possible, as well as the Maine Attorney General.
If the person must notify more than one thousand Maine residents at once, then the person must also notify consumer reporting agencies of the incident.
If law enforcement directs the person to delay further public disclosure of the breach pending its investigation, the person must delay notifying third parties but then begin sending any required notices within seven days after clearance from law enforcement. If law enforcement does not direct the suspension of third-party notices, then the person must give affected Maine residents notice. That notice must be sent “as expediently as possible and without reasonable delay,” and in any case no more than 30 days after the person’s discovery of the breach.
A Safe Harbor for Compliance with Other Reporting Laws
A person is deemed compliant with the notification requirements under the Notice of Risk to Personal Data Act if that person complies with the breach notification requirements imposed by another Maine law or by federal law. This safe harbor only applies, however, if that other law’s notification provisions are at least as protective as those of the Notice of Risk to Personal Data Act.
Actions by Unauthorized Persons
The Notice of Risk to Personal Data Act also bars unauthorized persons from using or releasing personal information acquired through a security breach.
Enforcement and Penalties
Maine’s Notice of Risk to Personal Data Act does not create a private right of action. The Department of Professional and Financial Regulation enforces the statute with respect to those persons regulated or licensed by that Department. The Maine Attorney General enforces the law in all other cases.
Violations of the statute are subject to equitable relief and fines of $500 per violation (capped at $2,500 per day containing multiple violations) for most actors. Penalties are cumulative, and do not pre-empt or affect other rights or remedies under federal or state laws.
