The Notice of Risk to Personal Data Act, 10 M.R.S. §§ 1346 – 1350-B, (“Data Act”) has been effective since January 1, 2006. The Data Act requires information brokers and others to notify customers when unauthorized persons obtain personal data that could result in identity theft.
The Legislature has amended the Data Act twice:
A 2009 amendment made illegal an unauthorized person’s release or use of information acquired through a security breach. The amendment also clarified how quickly affected persons must be notified after law enforcement determines that notification would not compromise a criminal investigation.
An amendment effective September 19, 2019 added municipalities and school administrative units to the list of public entities subject to the Data Act and put a 30-day cap on the time in which notification of a breach must be made, unless there has been a law enforcement delay.
The following are answers to basic questions about the Data Act.
Who does the Data Act cover?
The Data Act covers information brokers and other persons who maintain computerized data that includes personal information. An information broker, for a fee, collects, assembles, evaluates, compiles, reports, transmits, transfers or communicates other individuals’ information primarily to third parties. The definition of “person” is broad. It includes individuals and business entities. It also includes Maine government agencies, municipalities, school administrative units, the University of Maine System, the Maine Community College System, Maine Maritime Academy, and private colleges and universities.
The Data Act prohibits an unauthorized person from releasing or using an individual’s personal information acquired through a data security breach.
Personal information is an individual’s first name or first initial and last name in combination with any one or more of the following information:
- Social security number
- Driver's license number or state identification card number
- Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords
- Account passwords or personal identification numbers or other access codes.
This definition applies if either the name or the other information is not encrypted or redacted. The other information need not appear with a person’s first name or first initial and last name. The other information meets the statute’s definition if someone else could use it fraudulently to assume or attempt to assume the identity of that person.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. Personal information also does not include information from third-party claims databases maintained by property and casualty insurers.
No. The Data Act only covers electronic records.
What does someone subject to the Data Act have to do if he or she suspects a security system breach?
An information broker or any other person who becomes aware of a breach of his or her computer system’s security must investigate the problem in good faith, reasonably and promptly. The investigation must meet two goals: First, it must determine the scope of the security breach. Second, it must consider what measures are necessary to restore the reasonable integrity, security and confidentiality of the data in the breached system. Thus, the Data Act implicitly requires entities subject to it to take steps to prevent future breaches.
The “awareness” standard that triggers the investigation is deliberately low. The purpose of the Data Act is to warn those at risk of identity theft or other loss resulting from release of personal information so that they in turn can take steps to protect themselves. Those subject to the Data Act should err on the side of investigating potential breaches and should tailor each investigation to the facts of the particular breach.
The answer depends on whether the case involves an information broker or any other person. For information brokers, the standard is met if the investigation shows that an unauthorized person has acquired a Maine resident’s personal information or if the broker reasonably believes that this has happened. For any other person, the standard is met if the investigation shows that misuse of a Maine resident’s personal information has occurred or if it is reasonably possible that such misuse will occur.
The “misuse” standard is also low and does not require actual evidence of misuse. Those conducting investigations should use their best judgment, based on what they know at the time, in deciding whether the misuse standard has been met.
The Data Act does not require more than one person or other entity involved in the same transaction to give the notification.
The notification must be made as expediently as possible and without unreasonable delay, but not more than 30 days after the person is aware of the breach and has identified its scope. However, if a law enforcement agency determines that the notification would compromise a criminal investigation, the notification must wait in order to let that agency pursue its investigation. Further, the notification may not be given until the law enforcement agency determines that notification would not compromise the criminal investigation. If the person has finished his or her own investigation of the data breach, once the law enforcement agency determines that notification would not compromise the criminal investigation, the notification must be made within seven business days.
Information brokers must notify any Maine resident whose personal information an unauthorized person has acquired or whose information the broker believes an unauthorized person has acquired. Others subject to the Data Act must notify any Maine resident whose personal information has been or is reasonably possible to be misused. Further, any person who maintains computerized personal information for another entity must notify that entity if the person learns or reasonably believes that an unauthorized person acquired personal information. The person must do so immediately upon discovery of the breach.
Anyone who discovers a security breach must notify the national consumer reporting agencies if more than 1,000 affected individuals must receive notification of the breach. The principal reporting agencies are:
- Equifax: 1-800-525-6285, www.equifax.com, P.O Box 740241, Atlanta, GA 30374-0241
- Experian: 1-888-397-3742, www.experian.com, P.O Box 9532, Allen, TX 75013
- TransUnion: 1-800-680-7289, www.transunion.com, Fraud Victim Assistance Division, P.O Box 6790, Fullerton, CA 92834-6790
The affected individuals need not be Maine residents. Thus, if 995 of them live outside Maine, and six live in Maine, then the threshold is met.
Last, if an agency at the Department of Professional and Financial Regulation regulates the person giving notice, that person must also notify the applicable regulatory agency. This notice must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach. For a list of the regulating agencies at the Department of Professional and Financial Regulation and information about their respective responsibilities, see the Department’s website here.
The agencies within the Department of Professional and Financial Regulation enforce the Data Act as to entities under their respective jurisdiction. The Maine Office of the Attorney General enforces the Data Act as to all other persons.
Yes. A person who complies with the security breach notification requirements of federal or Maine law other than the Data Act’s security breach notification requirements is deemed to have complied with the Data Act’s requirements. For this safe harbor to apply, the other law’s notification requirements must be at least as protective as the Data Act’s requirements.
Violations of the Data Act are civil violations. An enforcing agency at the Department of Professional and Financial Regulation, or if applicable the Attorney General, may seek to impose a fine of up to $500 per violation for each day the person violates the law, equitable relief, or an injunction against further violations of the Data Act. The maximum fine is $2,500. The fine does not apply to Maine Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System or Maine Maritime Academy.
The Data Act is available on the State of Maine’s web site at http://www.mainelegislature.org/legis/statutes/10/title10ch210-bsec0.html.