Organizations must conduct a prompt investigation of any suspected breach of security involving computerized data to determine if unauthorized access to, the release of, or use of personal information has occurred and whether the personal information has been or could be misused. If there is no delay because of a law enforcement investigation of a breach, then breach notification must be made within 30 days to affected residents of Maine. If notification is delayed due to a law enforcement investigation, notification must be made within 7 business days after the investigation is complete. Regulatory breach notification to the State Attorney General or the Department of Professional and Financial Regulation is required if any resident of the state is affected.

Reporting to the consumer reporting agencies is required if more than 1,000 state residents are affected by a breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

Maine passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches. Effective January 1, 2022, licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days. Sector-specific state regulations (health, education, insurance) include requirements for notice, disclosure, policies, and procedures for the protection of personal information, and provide for an individual’s right to access their personal information.

If a Vendor is breached, they must notify the Organization. The Organization will be responsible to complete any required regulatory and consumer breach notifications.

Organizations may be fined or penalized for Vendor violations. A civil fine of $500 per violation, up to $2,500 per day, can be imposed for failing to provide timely breach notification.

Internet services providers (ISP) operating in Maine must provide notice of customer’s rights at the point of sale and get the express consent of customers who reside in the state for the use, disclosure, sale of, or access to their personal information. A customer may cancel their consent at any time. ISP must implement security measures to protect customer personal information from unauthorized use, disclosure or access.