Maine

Data Breach Notification Statute

Highlights

Covered Entities: Individuals, businesses, and governmental entities that maintain, own, or license personal information.

Consumer Notification: Notification must be provided to any Maine resident whose personal information was acquired, released, or used on an unauthorized basis that compromises the “security, confidentiality, or integrity” of that information.

Regulatory Notification: When notice of a breach is provided, the entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General.

Notification Timeline: Notice must be made as “expediently as possible without unreasonable delay”, but no more than 30 days after the breach is determined.

Data Format: Electronic.

Citations: Me. Rev. Stat. Tit. 10 §§ 1346 – 1350-B

More Details

Definitions:

  • Breach: The unauthorized acquisition, release, or use of a consumer’s personal information that compromises the “security, confidentiality, or integrity” of that information.
  • Personal Information (PI):
    • An individual's first name or first initial and last name in combination of one of the following data elements:
      • Social Security number;
      • Driver’s license or state identification card number;
      • Account number, credit card number or debit card number, if such a number could be used without additional identifying information, access codes or passwords; or
      • Account passwords or personal identification numbers or other access codes.
    • Additionally, any of the data elements above when not connected with a resident’s name, if the information is sufficient to permit a person to fraudulently assume or attempt to assume the identity of a consumer whose information was compromised.
  • Medical Information: N/A
  • Health Insurance Information: N/A 

Safe Harbors:

  • Encryption: A “breach” does not occur if the personal information was encrypted or redacted.
  • Good Faith: Good-faith acquisition of personal information is not a breach if not used or subject to further unauthorized disclosure.
  • Risk of Harm: If the entity is not an “information broker”, notice is not required if, after a reasonable and prompt investigation, the entity determines there is no reasonable possibility that a consumer’s personal information has been or will be misused.
  • Law Enforcement Delay: Notification may be delayed no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation.

Direct Notice:

  • Timing: Notice must be made as “expediently as possible without unreasonable delay”, but no more than 30 days after the breach is determined.
  • Format: N/A
  • Content: N/A
  • Method: Written notice; or electronic notice, if the notice provided is “consistent with the provisions regarding electronic records and signatures” per E-SIGN.

Substitute Notice:

If the cost of providing notification would exceed $5,000, or that the affected class of persons exceeds 1,000, or the agency or person does not have sufficient contact information substitute notice can be made in the following manner: (1) e-mail notification when the agency has e-mail addresses for the affected consumers; (2) conspicuous posting of the notice on the web page of the entity; and (3) notification to major statewide media.

Remediation Services:

N/A 

Regulatory Notice:

When notice of a breach is provided, the entity shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General.

Credit Reporting Agencies Notice:

If notification is issued to more than 1,000 persons, an entity must notify, without unreasonable delay, all nationwide consumer reporting agencies of the date of the breach, an estimate of consumers affected, and the date of the notice.

Third-Party Notice:

An entity that maintains personal information that it does not own shall notify the owner or licensee of any breach as soon as reasonably practicable following discovery.

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

  • Insurance Data Security (Me. Rev. Stat. §§ 2261 – 2272)

Insurance Data Security Statute

Highlights

Covered Entities: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Maine, not including a purchasing group or a risk retention group chartered and licensed in a state other than Maine or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Consumer Notification: A licensee shall comply with the Maine Notice of Risk to Personal Data Act, Chapter 210-B of Title 10, as applicable.

Regulatory Notification: A licensee shall notify the Superintendent of the Bureau of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.

Notification Timeline: As promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.

Citations: 24-A M.R.S.A. §§2261-2272

More Details

Definitions:

  • Consumer: An individual, including but not limited to an applicant for insurance, policyholder, insured, beneficiary, claimant or certificate holder, who is a resident of Maine and whose nonpublic information is in a licensee’s possession, custody or control.
  • Cybersecurity Event: An event resulting in unauthorized access to, disruption of or misuse of an information system or information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released or used without authorization or an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
  • Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Maine, not including a purchasing group or a risk retention group chartered and licensed in a state other than Maine or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
  • Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
    • Business-related information of a licensee the tampering with or unauthorized disclosure of, access to or use of which would materially and adversely affect the business, operations or security of the licensee:
    • Information that, because of name, number, personal mark or other identifier, can be used in combination with any one (1) or more of the following data elements to identify a consumer:
      • Social security number;
      • Driver’s license number or nondriver identification card number;
      • Financial account number or credit or debit card number;
      • Any security code, access code or password that would permit access to a consumer’s financial account; or
      • Biometric records; or
    • Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:
      • The past, present or future physical, mental or behavioral health or condition of a consumer or a member of the consumer’s family;
      • The provision of health care to a consumer; or
      • Payment for the provision of health care to a consumer.

“Nonpublic information” does not include a consumer’s personally identifiable information that has been anonymized using a method no less secure than the so-called safe harbor method under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

Regulatory Notice:

A licensee shall notify the Superintendent of the Bureau of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:

  • Maine is the licensee’s state of domicile, in the case of an insurance carrier, or Maine is the licensee’s home state, as that term is defined in section 1420-A, subsection 2, in the case of an insurance producer; or
  • The licensee reasonably believes that the nonpublic information involved concerns 250 or more consumers residing in Maine and that the cybersecurity event is either of the following:
    • A cybersecurity event affecting the licensee of which notice is required to be provided to any government body, self-regulatory organization or other supervisory body pursuant to any state or federal law; or
    • A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Maine or any material part of the licensee’s normal operations.

Content Requirements:

When notifying the Superintendent of the Bureau of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:

  • The date of the cybersecurity event.
  • A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
  • How the cybersecurity event was discovered.
  • Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
  • The identity of the source of the cybersecurity event.
  • Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
  • A description of the specific types of information acquired without authorization, which includes, but is not limited to, medical information, financial information and information allowing identification of a consumer.
  • The period of time during which the information system was compromised by the cybersecurity event.
  • The total number of consumers in Maine affected by the cybersecurity event. The licensee shall provide its best estimate in the notification provided pursuant to subsection 1 to the Superintendent of the Bureau of Insurance and update this estimate with each subsequent report to the superintendent pursuant to this section.
  • The results of any review conducted by or for the licensee identifying a lapse in either automated controls or internal procedures or confirming that all automated controls or internal procedures were followed.
  • A description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur.
  • A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
  • The name and contact information of a person who is familiar with the cybersecurity event and authorized to act for the licensee.

The licensee has a continuing obligation to update and supplement initial and subsequent notifications to the superintendent concerning the cybersecurity event.

Third-Party Notice Requirements:

If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Superintendent of the Bureau of Insurance. The computation of the licensee’s deadlines for notification under this section begins on the day after the third-party service provider notifies the licensee of the cybersecurity event or the day after the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.

Information Security Program:

A licensee shall develop, implement, and maintain a comprehensive, written information security program based on its risk assessment commensurate with its size, complexity, nature, and scope of the licensee’s activities. The information security program must account for the licensee’s use of any third-party service providers and the sensitivity of nonpublic information used by the licensee or in its possession, custody, or control.  A licensee with fewer than 10 employees, including any independent contractors working for the licensee in the business of insurance, is exempt from this requirement.

Design of Information Security Program: The written information security program must be designed to:

  • Protect the security and confidentiality of nonpublic information and the security of the licensee’s information systems; 
  • Protect against reasonably foreseeable threats or hazards to the security or integrity of nonpublic information and the licensee’s information systems;
  • Protect against unauthorized access to or use of nonpublic information and minimize the likelihood of harm to any consumer; and
  • Define and periodically reevaluate a schedule for retention of nonpublic information and a mechanism for its destruction when it is no longer needed.

Risk Management: As part of its written information security program, a licensee must:

  • Designate one or more employees, an affiliate or another person to act on behalf of the licensee to be responsible for the licensee’s information security program;
  • Identify reasonably foreseeable internal or external threats that could result in unauthorized access to or transmission, disclosure, misuse, alteration or destruction of nonpublic information, including threats to the security of the licensee’s information systems and nonpublic information that are accessible to or held by 3rd-party service providers;
  • Assess the likelihood and potential damage of the threats described in paragraph B, taking into consideration the sensitivity of the nonpublic information;
  • Assess the sufficiency of policies, procedures and other safeguards in place to manage the threats including consideration of threats in each relevant area of the licensee’s operations, including: employee training and management; information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; detecting, preventing and responding to attacks, intrusions or other system failures; and at least annually, assess the effectiveness of the key controls, information systems and procedures and other safeguards to manage the threats that are identified in the licensee’s ongoing assessment. The assessment of policies, procedures, and other safeguards in place to manage threats includes consideration of employee training and management; information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; detecting, preventing and responding to attacks, intrusions or other system failures; and
  • At least annually, a licensee must assess the effectiveness of the key controls, information systems and procedures and other safeguards implemented to manage the threats identified in the licensee’s ongoing assessment.

Penalties:

The Superintendent of the Bureau of Insurance may examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of Chapter 24-B of the Maine Insurance Data Security Act. Whenever the Superintendent has reason to believe that a licensee has been or is engaged in conduct in Maine that violates Chapter 24-B, the Superintendent may take action that is necessary or appropriate to enforce the provisions of this chapter.

Associated Regulations:

  • 10 M.R.S. § 1346 et seq.
Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek