Protecting Confidential Data – a new Maine Law

By Karen Tang

What would you do if you suspect State maintained private information has been compromised?

In light of the problems being faced by the Veteran’s Administration and others, State employees are increasingly aware of the need to safeguard data maintained by State agencies. Indeed, computerized personal data can be easily accessed and transported – and sadly, stolen. Effective next January 31, PL 583, An Act to Amend the Notice of Risk to Personal Data, clarifies state employees’ responsibilities whenever security breaches are suspected.

Since you are a citizen, you’ll be glad to know the Maine legislature was thinking of you. Prior to passage of Public Law 583, only credit card companies/information brokers were required to notify consumers if they become aware of a security breach. As of next January the requirement to notify has been extended to any individual and all businesses, governments etc. that collect personal data. Thus if your confidential information is inappropriately accessed, PL 583 requires that you will be notified, as soon as the breach – or potential breach - is discovered.

Under PL 583, personal information is defined as:

  1. An individual's first name, or first initial, and last name in combination with anyone or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
  • Social security number;
  • Driver's license number or state identification card number;
  • Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords;
  • Account passwords or personal identification numbers or other access codes.
  1. Any of the data elements above, when not in combination with any part of the individual’s name, would still be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

State Employees: Since you are a state employee, PL 583 adds to your responsibility under the law! All of us who use computers need to increase our awareness and reexamine how we handle and safeguard other people’s personal data! If you become aware of a security breach of the information you are maintaining, or suspect the potential of it being lost or misused, you are required to notify your agency’s leadership.

Contractors and Third Party Entities (who access and maintain personal information data on behalf of a state employee) If you suspect, or become aware of a security breach, PL 583 requires you to notify the person maintaining the information so this individual can then notify his/her agency’s leadership.

The agency will then notify the Attorney General Office which will take measures to inform affected parties, so they can take steps to protect their identities. If more than one thousand accounts are affected, the Attorney General Office will also give notice to credit reporting agencies.

The Office of Information Technology (OIT) will continue to emphasize system security to minimize the opportunities of unauthorized access to computerized personal information. OIT cannot safeguard all of the State’s data single-handedly – it requires all of us to be diligent – every day.

Public Law 583 will become available to view on this website: http://janus.state.me.us/legis/ros/lom/lomdirectory.htm .