IDSA Notification of Cybersecurity Event

The Maine Insurance Data Security Act, 24-A M.R.S. §§ 2261 – 2272, requires all licensees to notify the Superintendent as promptly as possible, but not later than three business days, after determining that a cybersecurity event has occurred involving nonpublic information in the licensee’s possession if the criteria in 24-A M.R.S. § 2266(1)(A) or (B) applies.

The Act treats as confidential, and not subject to subpoena, discovery or admission in evidence in a private civil action, the information in this notification covered by 24-A M.R.S. §§ 2266(2)(B), (C), (D), (E), (H), (J), and (K). The fields below subject to this protection are shown highlighted in yellow; the others are not. Thus, the fact that a cybersecurity event has happened, the reporting licensee’s identity, whether reports have been filed with law enforcement officials, the types of affected information, the number of affected people, the affected licensee’s privacy policy and investigation and notification steps, and the licensee’s contact person are public information. The reporting licensee has a continuing obligation to update and supplement this form regarding material changes to information previously provided relating to the cybersecurity event.

We will treat questions with the word confidential highlighted in yellow confidentially. 

If you have questions about the Act, please contact the Bureau at CyberSecurity.BOI@maine.gov or call (800) 300-5000.

*Required - Required fields have an asterisk beside the field name. You will not be able to submit your form until all required fields are completed. When your report has been successfully submitted, you will receive an immediate confirmation. If you do not receive this confirmation, then there is an error.