SP0209
LD 696
Session - 129th Maine Legislature
C "A", Filing Number S-77, Sponsored by
LR 1087
Item 2
Bill Tracking, Additional Documents Chamber Status

Amend the bill by striking out the title and substituting the following:

‘An Act To Require Municipalities and School Districts To Provide Notice of Breaches in Personal Data Security’

Amend the bill by striking out everything after the enacting clause and inserting the following:

Sec. 1. 10 MRSA §1347, sub-§5,  as amended by PL 2005, c. 583, §3 and affected by §14, is further amended to read:

5. Person.   "Person" means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities. "Person" as used in this chapter may not be construed to require duplicative notice by more than one individual, corporation, trust, estate, cooperative, association or other entity involved in the same transaction.

Sec. 2. 10 MRSA §1348, sub-§1,  as repealed and replaced by PL 2005, c. 583, §6 and affected by §14, is amended to read:

1. Notification to residents.   The following provisions apply to notification to residents by information brokers and other persons.
A. If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
B. If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.

The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system , but in no event later than 30 days after the person identified in paragraph A or B becomes aware of a breach of security and identifies its scope.

Sec. 3. 10 MRSA §1349, sub-§2, ¶A,  as amended by PL 2005, c. 583, §11 and affected by §14, is further amended to read:

A. A fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation of this chapter, except that this paragraph does not apply to State Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System or Maine Maritime Academy;’

summary

This amendment replaces the bill. It amends the Notice of Risk to Personal Data Act to add municipalities and school administrative units to the definition of "person" to make the Act applicable to these entities. It also exempts these entities from the civil violations provision of the Notice of Risk to Personal Data Act. The amendment specifies that notice to residents of the State of a security breach must be given no later than 30 days after the information broker or person maintaining computerized data that includes personal information becomes aware of a security breach.

FISCAL NOTE REQUIRED
(See attached)


Top of Page