Maine's law on electronic data breaches requires certain entities to report data security breaches to the Office of the Attorney General. Those who are required to report to us do so through our security breach reporting service. Data breach notices reported from August 1, 2010 to September 14, 2020, can be found in our Data Breach Notices Archives.
Special notice about the data breach database
We were recently made aware of an apparent abuse of our data breach reporting system. We are reviewing our procedures to make this abuse less likely in the future while preserving the public availability of such information. The public-facing database will remain offline until then. In the interim, if you are an entity who needs to submit a data breach report, you can continue to do so through our online reporting service. If you need information from existing reports, please contact us at AG.ConsumerProtectionDivision@maine.gov.
Maine law on electronic data breaches requires anyone who maintains computerized personal data (such as SSNs, drivers' license or state ID numbers, credit and debit card numbers, etc.) who become aware of a security breach to conduct an investigation to see who has been affected and how that information may have been used.
It also requires certain notification requirements. They must report the breach to…
- Customers. Any other business maintaining personal info must notify residents whose personal data has been misused or it is reasonably possible that it may be misused.
- Consumer reporting agencies aka Credit Bureaus (Equifax, Experian, TransUnion). If a breach requires notice to more than 1,000 people, the business has an obligation to notify the credit bureaus.
- Regulators. If the business whose data was breached is regulated by an agency of Maine's Dept of PFR, then that agency must be notified (e.g. an insurance company doing business in Maine and licensed by the Maine Bureau of Insurance would have to notify the Bureau of Insurance).
- Attorney General. If you are not regulated by one of those agencies, then you must notify the Maine Attorney General through the Report a Security Breach online form.
These notifications must be made without delay. However, reporting entities who are pursuing a criminal investigation should consult with law enforcement to make sure the notice won't interfere with the investigation. Once law enforcement determines the notice will not compromise the investigation, the notice should be made within 7 days.