An Act To Amend the Notice of Risk to Personal Data Act
Be it enacted by the People of the State of Maine as follows:
Sec. 1. 10 MRSA §1347, sub-§1, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
1. Breach of the security of the system.
"Breach of the security of the system" or "security breach" means unauthorized acquisition of an individual's computerized data that compromises the security, confidentiality or integrity of personal information of the individual maintained by an information broker a person. Good faith acquisition of personal information by an employee or agent of an information broker for the purposes of the information broker a person on behalf of the person is not a breach of the security of the system if the personal information is not used for or subject to further unauthorized disclosure.
Sec. 2. 10 MRSA §1347, sub-§4, ¶C, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
C.
Substitute notice, if the person maintaining personal information broker demonstrates that the cost of providing notice would exceed $5,000, that the affected class of individuals to be notified exceeds 1,000 or that the person maintaining personal information broker does not have sufficient contact information to provide written or electronic notice to those individuals. Substitute notice must consist of all of the following:
(1) E-mail notice, if the information broker person has e-mail addresses for the individuals to be notified;
(2) Conspicuous posting of the notice on the information broker's person's publicly accessible website, if the information broker person maintains one; and
(3) Notification to major statewide media.
Sec. 3. 10 MRSA §1347, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
5. Person.
"Person" means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity , including agencies of State Government, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities. "Person" as used in this chapter may not be construed to require duplicative notice by more than one individual, corporation, trust, estate, cooperative, association or other entity involved in the same transaction.
Sec. 4. 10 MRSA §1347, sub-§6, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
6. Personal information.
"Personal information" means an individual's first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:A.
Social security number;
B.
Driver's license number or state identification card number;
C.
Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords;
D.
Account passwords or personal identification numbers or other access codes; or
E.
Any of the data elements contained in paragraphs A to D when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.
"Personal information" does not include information from 3rd-party claims databases maintained by property and casualty insurers or publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
Sec. 5. 10 MRSA §1347, sub-§8, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
8. Unauthorized person.
"Unauthorized person" means a person who does not have authority or permission of an a person maintaining personal information broker to access personal information maintained by the information broker person or who obtains access to such information by fraud, misrepresentation, subterfuge or similar deceptive practices.
Sec. 6. 10 MRSA §1348, sub-§1, as enacted by PL 2005, c. 379, §1 and affected by §4, is repealed and the following enacted in its place:
1. Notification to residents.
The following provisions apply to notification to residents by information brokers and other persons. A.
If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
B.
If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.
The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system.
Sec. 7. 10 MRSA §1348, sub-§2, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
2. Notification to person maintaining personal information.
A person 3rd-party entity that maintains, on behalf of an information broker a person, computerized data that includes personal information that the person 3rd-party entity does not own shall notify the information broker person maintaining personal information of a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Sec. 8. 10 MRSA §1348, sub-§4, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
4. Notification to consumer reporting agencies.
If an information broker a person discovers a breach of the security of the system that requires notification to more than 1,000 persons at a single time, the information broker person shall also notify, without unreasonable delay, consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 United States Code, Section 1681a(p). Notification must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.
Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
5. Notification to state regulators.
When notice of a breach of the security of the system is required under subsection 1, the information broker person shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the information broker person is not regulated by the department, the Attorney General.
Sec. 10. 10 MRSA §1349, sub-§1, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
1. Enforcement.
The appropriate state regulators within the Department of Professional and Financial Regulation shall enforce this chapter for any information broker person that is licensed or regulated by those regulators. The Attorney General shall enforce this chapter for all other information brokers persons.
Sec. 11. 10 MRSA §1349, sub-§2, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
2. Civil violation.
An information broker A person that violates this chapter commits a civil violation and is subject to one or more of the following:A.
A fine of not more than $500 per violation, up to a maximum of $2,500 for each day the information broker person is in violation of this chapter , except that this paragraph does not apply to State Government, the University of Maine System, the Maine Community College System or Maine Maritime Academy;
B.
Equitable relief; or
C.
Enjoinment from further violations of this chapter.
Sec. 12. 10 MRSA §1349, sub-§4 is enacted to read:
4. Exceptions.
A person that complies with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law or the law of this State is deemed to be in compliance with the requirements of this chapter as long as the law, rules, regulations or guidelines provide for notification procedures at least as protective as the notification requirements of this chapter.
Sec. 13. 10 MRSA §1350-A is enacted to read:
The following provisions govern rules and education and compliance.
1. Rules.
With respect to persons under the jurisdiction of the regulatory agencies of the Department of Professional and Financial Regulation, the appropriate state regulators within that department may adopt rules as necessary for the administration and implementation of this chapter. With respect to all other persons, the Attorney General may adopt rules as necessary for the administration and implementation of this chapter. Rules adopted pursuant to this subsection are routine technical rules as defined in Title 5, chapter 375, subchapter 2-A.
2. Education and compliance.
The appropriate state regulators within the Department of Professional and Financial Regulation shall undertake reasonable efforts to inform persons under the department’s jurisdiction of their responsibilities under this chapter. With respect to all other persons, the Attorney General shall undertake reasonable efforts to inform such persons of their responsibilities under this chapter.
Sec. 14. Effective date. This Act takes effect January 31, 2007.
