Maine
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Within 30 days
FINES & PENALTIES – Violations
$500 – $2,500 daily
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Not Required
Vendor Notification
Required
Privacy Program
Not Required
QUICK FACTS
Maine Privacy Law Information
Organizations must conduct a prompt investigation of any suspected breach of security involving computerized data to determine if unauthorized access to, the release of, or use of personal information has occurred and whether the personal information has been or could be misused. If there is no delay because of a law enforcement investigation of a breach, then breach notification must be made within 30 days to affected residents of Maine. If notification is delayed due to a law enforcement investigation, notification must be made within 7 business days after the investigation is complete. Regulatory breach notification to the State Attorney General or the Department of Professional and Financial Regulation is required if any resident of the state is affected.
Reporting to the consumer reporting agencies is required if more than 1,000 state residents are affected by a breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Maine passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective January 1, 2022, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days. Sector-specific state regulations (health, education, insurance) include requirements for notice, disclosure, policies, and procedures for the protection of personal information, and provide for an individual’s right to access their personal information.
If a Vendor is breached, they must notify the Organization. The Organization will be responsible to complete any required regulatory and consumer breach notifications.
Organizations may be fined or penalized for Vendor violations. A civil fine of $500 per violation, up to $2,500 per day, can be imposed for failing to provide timely breach notification.
Internet services providers (ISP) operating in Maine must provide notice of customer’s rights at the point of sale and get the express consent of customers who reside in the state for the use, disclosure, sale of, or access to their personal information. A customer may cancel their consent at any time. ISP must implement security measures to protect customer personal information from unauthorized use, disclosure or access.
Maine Statutes and Laws
Protection of social security numbers
Notice of risk to personal data
School records, audits and reports
Patient access, confidentiality – medical records
Insurance information and privacy protection act
Maine insurance data security act
Privacy of broadband internet access service customer personal information
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.