Persons and business entities subject to regulation by the Bureau of Insurance should be aware of the notification requirements related to cybersecurity events. These requirements are found in two Maine statutes - the Insurance Data Security Act (IDSA) and the Notice of Risk to Personal Data Act (NRPDA). Each law requires notification to the Superintendent and to affected customers under certain circumstances and within certain times. This page contains information about submitting the forms required under these laws. Before submitting the forms on this page, you should read our Bulletin 468, Maine Law Concerning Cybersecurity Events, and our FAQs related to NRPDA. Please contact us at CyberSecurity.BOI@maine.gov with any questions.
Maine Insurance Data Security Act. IDSA requires that the Superintendent be notified within three business days after a licensee determines that a cybersecurity event has occurred. This requirement applies to:
- any licensee holding a Maine resident license or registration, regardless of the number of Maine residents affected by the cybersecurity event, and
- any non-resident licensee who reasonably believes the event concerns 250 or more Maine residents and (i) state or federal law requires notice of the event be given to any government body, or (ii) there is a reasonable likelihood of material harm to any Maine resident or any material part of the licensee's normal operation.
Licensees should use the online IDSA Notification of Cybersecurity Event Form to report cybersecurity events that occurred on or after January 1, 2022. The form must be completed in one session. Exhibits such as sample notifications to consumers must be submitted separately to CyberSecurity.BOI@maine.gov.
If a nonresident licensee has reason to think that a breach of its systems will affect at least 250 Maine residents, even though the licensee has not yet completed its investigation, it should notify the Superintendent under IDSA.
Maine Notice of Risk to Personal Data Act. The breach notification requirement under NRPDA is broader in scope for nonresident licensees, but the timetable is less stringent. NRPDA requires notification to the Superintendent whenever a security breach results or is reasonably likely to result in misuse of at least one Maine resident's personal information. Notice must be given as expediently as possible and without unreasonable delay, but in no event more than 30 days after the licensee becomes aware of the breach and identifies its scope, unless a law enforcement agency has delayed notice to affected residents to protect an ongoing criminal investigation. Nonresident licensees should follow the three-day timetable required by NRPDA unless they are confident that the event will not meet the criteria of section 2266(1).
For both resident and nonresident licensees, NRPDA also requires notification to all affected Maine consumers, given as expediently as possible and without unreasonable delay, but in no event more than 30 days after the licensee becomes aware of the breach and identifies its scope, unless a law enforcement agency has required this notice to be delayed to protect an ongoing criminal investigation.
Licensees should use the online NRPDA Notification of Breach of System Security Event Form for data breaches that are not reportable under IDSA. The form must be completed in one session. Exhibits such as sample notifications to consumers must be submitted separately to CyberSecurity.BOI@maine.gov.
We will confirm receipt of all event notifications and send you a copy of your response with the confirmation.
Requesting Confidential Treatment of Documents
IDSA specifies which information in a notification is given confidential status. Responses to the questions highlighted in yellow on the notification form are expressly made confidential by the Insurance Data Security Act, and no specific request for confidentiality is required. A licensee providing any other information it believes is entitled to confidential treatment should follow the instructions at the link below. NRPDA does not have any confidentiality provisions relating to notifications that must be given to the Superintendent. However, the NRPDA Notification of Breach of System Security Event Form highlights in yellow which responses the Bureau will treat as confidential. Any nonresident licensee providing other information in this form it believes should be treated as confidential should follow the same process.
The Insurance Data Security Act Compliance Certification
Having an information security program that protects nonpublic information is an important requirement of IDSA. IDSA has several requirements related to compliance with its information security program provisions.
First, IDSA requires that each Maine domestic insurance carrier certify to the Superintendent its compliance each year with the information security program requirements of § 2264(9). IDSA defines Maine "domestic insurance carriers" as:
- entities that must be licensed in order to assume risk, such as insurers, nonprofit hospitals, medical or health care service organizations, health maintenance organizations, and multiple employer welfare arrangements;
- self-funded health plans under § 2848-A;
- preferred provider arrangements under § 2671; and
- third-party administrators under § 1901, providing services for non-carrier entities.
Each Maine domestic insurance carrier as defined above should use the Maine Domestic Carrier Compliance Certification Form or submit its own certification using the language in this form. This form has two options for certifying compliance - one for non-HIPAA/HITECH-compliant companies and one for carriers that are subject to and comply with HIPAA/HITECH. This certification requirement does not apply to any entity not in this list. If you are not sure if this requirement applies to your company, contact us at CyberSecurity.BOI@maine.gov with any questions.
Second, IDSA allows safe harbors at § 2269(2) for two types of licensees if they certify their compliance with certain federal laws affecting information security. The first applies to licensees subject to and compliant with the information security and breach notification requirements of HIPAA and HITECH. The second applies to insurance producer business entities owned by depository institutions that maintain GLBA-compliant information security programs. Neither of these certifications is necessary for licensees with few than 10 employees, because the information security program requirement at § 2264 does not apply to them.
A licensee that is not a Maine domestic carrier may use either the All-Other Compliance Certification form or submit its own certification using the language in this form.
The certification forms are due annually on or before April 15. Please print the certification form with your responses before submitting.