The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Individuals, businesses, and governmental entities that maintain, own, or license personal information.
Consumer Notification: Notification must be provided to any Maine resident whose personal information was acquired, released, or used on an unauthorized basis that compromises the “security, confidentiality, or integrity” of that information.
Regulatory Notification: When notice of a breach is provided, the entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General.
Notification Timeline: Notice must be made as “expediently as possible without unreasonable delay”, but no more than 30 days after the breach is determined.
Data Format: Electronic.
Citations: Me. Rev. Stat. Tit. 10 §§ 1346 – 1350-B
- Breach: The unauthorized acquisition, release, or use of a consumer’s personal information that compromises the “security, confidentiality, or integrity” of that information.
- Personal Information (PI): An individual's first name or first initial and last name in combination of one of the following data elements:
- Social Security number;
- Driver’s license or state identification card number;
- Account number, credit card number or debit card number, if such a number could be used without additional identifying information, access codes or passwords; or
- Account passwords or personal identification numbers or other access codes.
- Additionally, any of the data elements above when not connected with a resident’s name, if the information is sufficient to permit a person to fraudulently assume or attempt to assume the identity of a consumer whose information was compromised.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: A “breach” does not occur if the personal information was encrypted or redacted.
- Good Faith: Good-faith acquisition of personal information is not a breach if not used or subject to further unauthorized disclosure.
- Risk of Harm: If the entity is not an “information broker”, notice is not required if, after a reasonable and prompt investigation, the entity determines there is no reasonable possibility that a consumer’s personal information has been or will be misused.
- Law Enforcement Delay: Notification may be delayed no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.
- Timing: Notice must be made as “expediently as possible without unreasonable delay”, but no more than 30 days after the breach is determined.
- Format: N/A
- Content: N/A
- Method: Written notice; or electronic notice, if the notice provided is “consistent with the provisions regarding electronic records and signatures” per E-SIGN.
If the cost of providing notification would exceed $5,000, or that the affected class of persons exceeds 1,000, or the agency or person does not have sufficient contact information substitute notice can be made in the following manner: (1) e-mail notification when the agency has e-mail addresses for the affected consumers; (2) conspicuous posting of the notice on the web page of the entity; and (3) notification to major statewide media.
When notice of a breach is provided, the entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General.
Credit Reporting Agencies Notice:
If notification is issued to more than 1,000 persons, an entity must notify, without unreasonable delay, all nationwide consumer reporting agencies of the date of the breach, an estimate of consumers affected, and the date of the notice.
An entity that maintains personal information that it does not own shall notify the owner or licensee of any breach as soon as reasonably practicable following discovery.
Insurance Data Security Statute
Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Maine, not including a purchasing group or a risk retention group chartered and licensed in a state other than Maine or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee with 10 or more employees, including independent contractors must develop, implement and maintain a comprehensive, written information security program commensurate with the size and complexity of the licensee, and based on the licensee’s risk assessment, and containing administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information systems.
Consumer Notification: A licensee shall comply with the Maine Notice of Risk to Personal Data Act, Chapter 210-B of Title 10, as applicable.
Regulatory Notification: A licensee shall notify the Superintendent of the Bureau of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Citations: 24 A M.R.S.A. §§2261-2272
- Consumer: An individual, including but not limited to an applicant for insurance, policyholder, insured, beneficiary, claimant or certificate holder, who is a resident of Maine and whose nonpublic information is in a licensee’s possession, custody or control.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption of or misuse of an information system or information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released or used without authorization or an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Maine, not including a purchasing group or a risk retention group chartered and licensed in a state other than Maine or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
- Business-related information of a licensee the tampering with or unauthorized disclosure of, access to or use of which would materially and adversely affect the business, operations or security of the licensee:
- Information that, because of name, number, personal mark or other identifier, can be used in combination with any one (1) or more of the following data elements to identify a consumer:
- Social security number;
- Driver’s license number or nondriver identification card number;
- Any security code, access code or password that would permit access to a consumer’s financial account; or
- Biometric records; or
- Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:
- The past, present or future physical, mental or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to a consumer; or
- Payment for the provision of health care to a consumer.
“Nonpublic information” does not include a consumer’s personally identifiable information that has been anonymized using a method no less secure than the so-called safe harbor method under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
A licensee shall notify the Superintendent of the Bureau of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- Maine is the licensee’s state of domicile, in the case of an insurance carrier, or Maine is the licensee’s home state, as that term is defined in section 1420-A, subsection 2, in the case of an insurance producer; or
- The licensee reasonably believes that the nonpublic information involved concerns 250 or more consumers residing in this State and that the cybersecurity event is either of the following:
- A cybersecurity event affecting the licensee of which notice is required to be provided to any government body, self-regulatory organization or other supervisory body pursuant to any state or federal law; or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Maine or a material part of licensee’s operations.
When notifying the Superintendent of the Bureau of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
- A description of the specific types of information acquired without authorization. Specific types of information includes, but is not limited to, medical information, financial information and information allowing identification of a consumer.
- The period of time during which the information system was compromised by the cybersecurity event.
- The total number of consumers in Maine affected by the cybersecurity event. The licensee shall provide its best estimate in the notification provided pursuant to subsection 1 to the Superintendent of the Bureau of Insurance and update this estimate with each subsequent report to the superintendent pursuant to this section.
- The results of any review conducted by or for the licensee identifying a lapse in either automated controls or internal procedures or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur.
- The name and contact information of a person who is familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Superintendent of the Bureau of Insurance. The computation of the licensee’s deadlines for notification under this section begins on the day after the third-party service provider notifies the licensee of the cybersecurity event or the day after the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
The Superintendent of the Bureau of Insurance may take any enforcement action permitted under Maine Insurance Code, subsection 12-a of Title 24-a, against any person that violates any provision of this chapter.
- 10 M.R.S. § 1346 et seq.