Previous PageTable Of ContentsNext Page

PUBLIC LAWS
Second Regular Session of the 122nd

CHAPTER 583
H.P. 1417 - L.D. 2017

An Act To Amend the Notice of Risk to Personal Data Act

Be it enacted by the People of the State of Maine as follows:

     Sec. 1. 10 MRSA §1347, sub-§1, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     1. Breach of the security of the system. "Breach of the security of the system" or "security breach" means unauthorized acquisition of an individual's computerized data that compromises the security, confidentiality or integrity of personal information of the individual maintained by an information broker a person. Good faith acquisition of personal information by an employee or agent of an information broker for the purposes of the information broker a person on behalf of the person is not a breach of the security of the system if the personal information is not used for or subject to further unauthorized disclosure.

     Sec. 2. 10 MRSA §1347, sub-§4, ¶C, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     Sec. 3. 10 MRSA §1347, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     5. Person. "Person" means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities. "Person" as used in this chapter may not be construed to require duplicative notice by more than one individual, corporation, trust, estate, cooperative, association or other entity involved in the same transaction.

     Sec. 4. 10 MRSA §1347, sub-§6, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     6. Personal information. "Personal information" means an individual's first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

"Personal information" does not include information from 3rd-party claims databases maintained by property and casualty insurers or publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

     Sec. 5. 10 MRSA §1347, sub-§8, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     8. Unauthorized person. "Unauthorized person" means a person who does not have authority or permission of an a person maintaining personal information broker to access personal information maintained by the information broker person or who obtains access to such information by fraud, misrepresentation, subterfuge or similar deceptive practices.

     Sec. 6. 10 MRSA §1348, sub-§1, as enacted by PL 2005, c. 379, §1 and affected by §4, is repealed and the following enacted in its place:

     1. Notification to residents. The following provisions apply to notification to residents by information brokers and other persons.

The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system.

     Sec. 7. 10 MRSA §1348, sub-§2, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     2. Notification to person maintaining personal information. A person 3rd-party entity that maintains, on behalf of an information broker a person, computerized data that includes personal information that the person 3rd-party entity does not own shall notify the information broker person maintaining personal information of a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

     Sec. 8. 10 MRSA §1348, sub-§4, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     4. Notification to consumer reporting agencies. If an information broker a person discovers a breach of the security of the system that requires notification to more than 1,000 persons at a single time, the information broker person shall also notify, without unreasonable delay, consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 United States Code, Section 1681a(p). Notification must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.

     Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     5. Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the information broker person shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the information broker person is not regulated by the department, the Attorney General.

     Sec. 10. 10 MRSA §1349, sub-§1, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     1. Enforcement. The appropriate state regulators within the Department of Professional and Financial Regulation shall enforce this chapter for any information broker person that is licensed or regulated by those regulators. The Attorney General shall enforce this chapter for all other information brokers persons.

     Sec. 11. 10 MRSA §1349, sub-§2, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

     2. Civil violation. An information broker A person that violates this chapter commits a civil violation and is subject to one or more of the following:

     Sec. 12. 10 MRSA §1349, sub-§4 is enacted to read:

     4. Exceptions. A person that complies with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law or the law of this State is deemed to be in compliance with the requirements of this chapter as long as the law, rules, regulations or guidelines provide for notification procedures at least as protective as the notification requirements of this chapter.

     Sec. 13. 10 MRSA §1350-A is enacted to read:

§1350-A. Rules; education and compliance

     The following provisions govern rules and education and compliance.

     1. Rules. With respect to persons under the jurisdiction of the regulatory agencies of the Department of Professional and Financial Regulation, the appropriate state regulators within that department may adopt rules as necessary for the administration and implementation of this chapter. With respect to all other persons, the Attorney General may adopt rules as necessary for the administration and implementation of this chapter. Rules adopted pursuant to this subsection are routine technical rules as defined in Title 5, chapter 375, subchapter 2-A.

     2. Education and compliance. The appropriate state regulators within the Department of Professional and Financial Regulation shall undertake reasonable efforts to inform persons under the department's jurisdiction of their responsibilities under this chapter. With respect to all other persons, the Attorney General shall undertake reasonable efforts to inform such persons of their responsibilities under this chapter.

     Sec. 14. Effective date. This Act takes effect January 31, 2007.

Effective January 31, 2007.

Revisor of Statutes Homepage Subject Index Search 122nd Laws of Maine Maine Legislature

About the 2nd Regular & 2nd Special Session Laws Of Maine

Previous PageTop Of PageTable Of ContentsNext Page

Office of the Revisor of Statutes
State House, Room 108
Augusta, Maine 04333

Contact the Office of the Revisor of Statutes