The Legal Protocol Regulating Security Breaches in Maine
February 01, 2022 | 4 minutes read
Me. Rev. Stat. tit. 10 § 1346 is a data breach notification law that was passed in the U.S state of Maine in 2005. Me. Rev. Stat. tit. 10 § 1346 sets forth the protocol that agencies, businesses, and organizations within the state of Maine are required to follow in the event that said entities experience a security breach that leads to the unauthorized disclosure of personal information pertaining to residents of the state. Furthermore, the law also establishes the various sanctions and penalties that can be imposed against agencies, businesses, and organizations within the state should these entities fail to comply with the provisions prescribed by the law.
How is a security breach defined under Me. Rev. Stat. tit. 10 § 1346?
Under Me. Rev. Stat. tit. 10 § 1346, a security breach is defined as the “unauthorized acquisition, release or use of computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information, excluding certain good faith acquisitions.” Alternatively, as it pertains to the scope and application of the law, the provisions of Me. Rev. Stat. tit. 10 § 1346 apply to “to all individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.” Additionally, Me. Rev. Stat. tit. 10 § 1346 applies strictly to electronic information, as written information that is compromised as a result of a security breach is not covered under the law.
What are the requirements?
Under Me. Rev. Stat. tit. 10 § 1346, business entities and organizations within the state of Maine are required to provide citizens of the state with data breach notices in the event that said citizens have their personal information compromised following a security breach. These notices must be provided to citizens “as expediently as possible without unreasonable delay”, and must provide them with information concerning the scope and severity of the breach, as well as the categories of personal information that were compromised during the breach, among other pertinent details. Moreover, in instances where a security breach has affected more than 1,000 residents within the state of Maine, the entity that experienced the breach is also responsible for providing a data breach notification to all three major credit reporting agencies within the U.S.
What’s more, Me. Rev. Stat. tit. 10 § 1346 also mandates that business entities within the state of Maine provide notice to the “appropriate state regulators within the Department of Professional and Financial Regulation.” In instances where a particular business or organization within Maine is not regulated by the Department of Professional and Financial Regulation, these entities must instead provide notice to the Office of the Maine Attorney General. Third parties that collect, process, or manage the personal information of Maine residents must also comply with the provisions set forth in Me. Rev. Stat. tit. 10 § 1346 in the event that a security breach occurs.
What categories of personal information are protected?
Under Me. Rev. Stat. tit. 10 § 1346, the following categories of personal information are protected under the law, in conjunction with the first name or initial and last name of a Maine resident, permitting said information has not been redacted or encrypted:
- Social security numbers.
- Driver’s license numbers and state identification card numbers.
- Account numbers, credit card numbers, and debit card numbers, in instances where these forms of personal information could be used without any additional identifying information.
- Access codes, account passcodes, and personal identification numbers.
In terms of the enforcement of Me. Rev. Stat. tit. 10 § 1346, the Maine Attorney General has the authority to impose a number of sanctions and penalties against business entities within the state that are found to be in violation of the law. Such punishments include:
- A monetary penalty of up to $500 per violation.
- A monetary penalty of up to $2,500 “for each day a subject entity is in violation.”
- Equitable relief.
- Enjoinment from further violations of the law.
- Civil liability.
Me. Rev. Stat. tit. 10 § 1346 stands as the foremost legal means by which the personal information of residents within the state of Maine is protected should said information be compromised as a result of a security breach. Through the provisions of the law, strict requirements are placed on agencies, businesses, and organizations within the state as it concerns the protocol that these entities must follow in the event that a security breach occurs. As such, citizens of the state of Maine can rest assured that their personal information is being protected at the state level.