McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business HomeProducts & SolutionsData ProtectionUS & Global Data Protection LawsSecurity Breach Notification Laws

Maine

Notice of Risk to Personal Data Act
CITATION Maine Revised Statute Title 10: §§ 1346 to 1350
ENACTED 2005
SUMMARY

If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of Maine whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person must conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and must give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of Maine if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.
DATA COVERED

The law covers ‘Personal Information’ which is defined as an individual's first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social Security number;
  2. Driver's license number or state identification card number;
  3. Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords;
  4. Account password or personal identification numbers or other access codes; or
  5. Any of the data elements contained in paragraphs (1) to (4) above when not in connection with the individual’s first name, or first initial, and last name, if the information is compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.
INDUSTRY An information broker or any other person that maintains computerized data that includes personal information.
PENALTIES

The Department of Professional and Financial Regulation shall enforce the act for any person that is licensed by the Department.

The Attorney General enforces the act for all other persons.

A civil fine of not more than five hundred dollars ($500) per violation, up to a maximum of two thousand dollars ($2,500) for each day the person is in violation of the act. An injunction may also be issued to prohibit future violations.
United States - English