Maine's law on electronic data breaches requires anyone who maintains computerized personal data (like social security numbers, drivers' license numbers, credit card numbers, etc.) to conduct an investigation and meet certain notification requirements. If you are an entity who is required to report the breach to the Maine Attorney General, use our Security Breach Reporting Form. All reported data breaches from September 14, 2020 to the present can be viewed in our Data Breach Notices database. Data breach notices reported from August 1, 2010 to September 14, 2020, can be found in our Data Breach Notices Archives.
Maine law on electronic data breaches requires people who maintain computerized personal data (such as SSNs, drivers' license or state ID numbers, credit and debit card numbers, etc.) who become aware of a security breach to "conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused."
It also requires certain notification requirements. They must report the breach to…
- Customers. Any other business maintaining personal info must notify residents whose personal data has been misused or it is reasonably possible that it may be misused.
- Consumer reporting agencies aka Credit Bureaus (Equifax, Experian, TransUnion). If a breach requires notice to more than 1,000 people, the business has an obligation to notify the credit bureaus.
- Regulators. If the business whose data was breached is regulated by an agency of Maine's Dept of PFR, then that agency must be notified (e.g. an insurance company doing business in Maine and licensed by the Maine Bureau of Insurance would have to notify the Bureau of Insurance).
- Attorney General. If you are not regulated by one of those agencies, then you must notify the Maine Attorney General through the Report a Security Breach online form.
These notifications must be made "as expediently as possible and without unreasonable delay," but you should consult with law enforcement if a criminal investigation is opened to make sure the notice won't interfere with the investigation. Then within 7 days after law enforcement determines that notification will not compromise any criminal investigation.