Insurance Data Security Act

This page provides the information necessary to submit the Notification of Cybersecurity Event and Compliance Certification forms, required under the Maine Insurance Data Security Act. See Bureau Bulletin 462 (PDF), Maine Insurance Data Security Act, for more detail. Please contact the Bureau at CyberSecurity.BOI@maine.gov with any questions.

Notification of Cybersecurity Event

A licensee that has determined that a cybersecurity event has occurred must notify the Superintendent within three business days of the event using this form.

Notification of Cybersecurity Event Form, online. Note, the online form must be completed in one session. (This PDF version is provided as reference, so you can anticipate the questions and gather the required information before you start the online form.)

Requesting Confidential Treatment of Documents

The Insurance Data Security Act specifies which information in a notification is given confidential status.  Responses to the questions highlighted in yellow on the notification form are expressly made confidential by the Insurance Data Security Act, and no specific request for confidentiality is required.  A licensee providing any other information it believes is entitled to confidential treatment should follow the instructions at this link. 

Instructions for requesting confidential treatment of documents

The Insurance Data Security Act Compliance Certification

Each Maine domestic insurance carrier must certify its compliance each year with the information security program requirements of § 2264(9).

A licensee subject to and compliant with the information security and breach notification requirements of HIPAA and HITECH may certify its compliance with those laws and regulations under § 2269(2)(A).

An insurance producer business entity owned by a depository institution that maintains a GLBA-compliant information security program may certify to this under § 2269(2)(B). If the insurer producer business entity owned by a depository institution has fewer than 10 employees, the business entity does not need to make this certification. This is because § 2264 does not apply to licensees with fewer than 10 employees.

A licensee may use either the omnibus certification form below or submit its own certification using the language in the omnibus form.

Compliance Certification Form, online. (PDF version for reference.)

Submitting the Notification and Certification Forms

Notification: Must be submitted within three business days after the licensee has determined that a cybersecurity event has occurred. Exhibits such as sample notifications to consumers must be submitted separately to CyberSecurity.BOI@maine.gov. We will confirm receipt of all event notifications and send you a copy of your response with the confirmation.

Certification: Due annually on or before April 15. Please print the certification form with your responses before submitting.

Statutory Requirements

• Title 24-A M.R.S. Chapter 24-B, Maine Insurance Data Security Act