‘ 1. Authorized individual. "Authorized individual" means an individual whose access to the nonpublic information held by the licensee and its information systems is authorized and determined by the licensee to be necessary and appropriate.’
| SP0697 LD 1995 |
Session - 129th Maine Legislature C "A", Filing Number S-471, Sponsored by
|
LR 3022 Item 2 |
|
| Bill Tracking, Additional Documents | Chamber Status | ||
Amend the bill in section 1 in §2262 in the first paragraph in the first line (page 1, line 8 in L.D.) by inserting after the following: " and" the following: ' exclusive'
Amend the bill in section 1 in §2263 by striking out all of subsection 1 (page 1, lines 16 to 19 in L.D.) and inserting the following:
Amend the bill in section 1 in §2263 by striking out all of subsection 7 (page 2, lines 10 to 12 in L.D.) and inserting the following:
Amend the bill in section 1 in §2263 in subsection 10 by inserting at the end a new blocked paragraph to read:
‘ "Nonpublic information" does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.’
Amend the bill in section 1 in §2264 in subsection 2 in paragraph B in the first line (page 3, line 36 in L.D.) by inserting after the following: " against" the following: ' reasonably foreseeable'
Amend the bill in section 1 in §2264 in subsection 6 in paragraph B in the last line (page 6, line 16 in L.D.) by inserting after the following: " accessible" the following: ' to'
Amend the bill in section 1 in §2264 in subsection 9 in the first line (page 7, line 1 in L.D.) by striking out the following: " February" and inserting the following: ' April'
Amend the bill in section 1 in §2265 by striking out all of subsection 2 (page 7, lines 25 to 28 in L.D.) and inserting the following:
Amend the bill in section 1 in §2266 in subsection 1 in the 3rd line (page 7, line 35 in L.D.) by striking out the following: " 72 hours" and inserting the following: ' 3 business days'
Amend the bill in section 1 in §2266 in subsection 5 in paragraph A in subparagraph (1) in the 2nd line (page 9, line 32 in L.D.) by striking out the following: " 72 hours" and inserting the following: ' 3 business days'
Amend the bill in section 1 in §2266 in subsection 5 in paragraph B in subparagraph (1) in the 2nd line (page 10, line 2 in L.D.) by striking out the following: " 72 hours" and inserting the following: ' 3 business days'
Amend the bill in section 1 in §2266 in subsection 6 in the 6th line (page 10, line 13 in L.D.) by striking out the following: " as soon as practicable" and inserting the following: ' no later than the time consumers must be notified under subsection 3 or'
Amend the bill in section 1 in §2269 in subsection 1 in the last line (page 11, line 12 in L.D.) by inserting after the following: " contractors" the following: ' working for the licensee in the business of insurance'
Amend the bill in section 1 in §2269 by striking out all of subsection 2 (page 11, lines 13 to 18 in L.D.) and inserting the following:
(1) The licensee maintains a program for information security and breach notification that treats all nonpublic information relating to consumers in this State in the same manner as protected health information;
(2) The licensee annually submits to the superintendent a written statement certifying that the licensee is in compliance with the requirements of this paragraph; and
(3) The superintendent has not issued a determination finding that the applicable federal regulations are materially less stringent than the requirements of this chapter.
(1) Upon request, the licensee produces documentation satisfactory to the superintendent that independently validates the controlling depository institution's adoption of an information security program that satisfies the standards for safeguarding customer information;
(2) The licensee annually submits to the superintendent a written statement certifying that the licensee is in compliance with the requirements of this paragraph; and
(3) The superintendent has not issued a determination finding that the standards for safeguarding customer information are materially less stringent than the requirements of section 2264.
Amend the bill in section 1 in §2272 in the first paragraph in the first line (page 11, line 34 in L.D.) by striking out the following: " January" and inserting the following: ' June'
Amend the bill in section 1 in §2272 in the first paragraph in the 2nd line (page 11, line 35 in L.D.) by striking out the following: " January" and inserting the following: ' June'
Amend the bill by relettering or renumbering any nonconsecutive Part letter or section number to read consecutively.
summary
This amendment makes the following changes to the bill.
1. It clarifies the definitions of "authorized individual," "insurance carrier" and "nonpublic information."
2. It extends the time period for notification of a cybersecurity event from 72 hours to no later than 3 business days.
3. It changes the date that an insurance carrier annually certify compliance with the requirements for an information security program from February 15th to April 15th.
4. It clarifies the exemption for small business licensees and for certain licensees subject to federal law.
5. It changes the effective date to June 1, 2021.