Maine's law on electronic data breaches requires certain businesses and organizations to report data security breaches to the Office of the Attorney General. Those who are required to report to us do so through our security breach reporting service. Data breach notices reported from August 1, 2010 to September 14, 2020, can be found in our Data Breach Notices Archives.
Special notice about the data breach database
We were recently made aware of an apparent abuse of our data breach reporting system. We are reviewing our procedures to make this abuse less likely in the future while preserving the public availability of such information. The public-facing database will remain offline until then. In the interim, if you are an entity who needs to submit a data breach report, you can continue to do so through our online reporting service below. If you need information from existing reports, please contact us at AG.ConsumerProtectionDivision@maine.gov.
Reporting a data security breach
The security breach reporting service should be used only by an authorized agent of the business or organization that experienced the breach.
If you are a consumer who has been notified of a data breach or has experienced identity theft, please do not submit a data breach report. Please visit our Identity Theft page for steps you can take to prevent and deal with identity theft.
Investigate and Report
As required by Maine law, if you are a business or organization that maintains computerized personal data (such as social security numbers, drivers' license or state ID numbers, credit and debit card numbers) you must investigate and report data security breaches.
Investigate: You must determine who has been affected and how that information may have been used.
Report: You must report the breach to…
- Customers. You must notify residents whose personal data has been misused or it is reasonably possible that it may be misused.
- Consumer reporting agencies (credit bureaus: Equifax, Experian, TransUnion). If a breach requires notice to more than 1,000 people, you must notify the credit bureaus.
- Regulators. If you are regulated by an agency of Maine's Dept of PFR, then that agency must be notified. For example, an insurance company doing business in Maine and licensed by the Maine Bureau of Insurance must notify the Bureau of Insurance.
- Attorney General. If you are not regulated by one of those agencies, then you must notify the Maine Attorney General through the Report a Security Breach online service.
These notifications must be made without delay. However, reporting entities who are pursuing a criminal investigation should consult with law enforcement to make sure the notice won't interfere with the investigation. Once law enforcement determines the notice will not compromise the investigation, the notice should be made within 7 days.