Public Laws

124th Legislature

First Regular Session



Chapter 161

H.P. 672 - L.D. 970

An Act To Amend the Laws Governing Notification after a Security Breach Involving Personal Information

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 10 MRSA §1347, sub-§1,  as amended by PL 2005, c. 583, §1 and affected by §14, is further amended to read:

1. Breach of the security of the system.   "Breach of the security of the system" or "security breach" means unauthorized acquisition , release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person. Good faith acquisition , release or use of personal information by an employee or agent of a person on behalf of the person is not a breach of the security of the system if the personal information is not used for or subject to further unauthorized disclosure to another person.

Sec. 2. 10 MRSA §1347-A  is enacted to read:

§ 1347-A.   Release or use of personal information prohibited

It is a violation of this chapter for an unauthorized person to release or use an individual's personal information acquired through a security breach.

Sec. 3. 10 MRSA §1348, sub-§3,  as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:

3. Delay of notification; criminal investigation by law enforcement.   The If, after the completion of an investigation required by subsection 1, notification is required under this section, the notification required by this section may be delayed if for no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation ; the notification required by this section must be made after the law enforcement agency determines that it will not compromise the investigation.

Sec. 4. 10 MRSA §1349, sub-§4,  as enacted by PL 2005, c. 583, §12 and affected by §14, is amended to read:

4. Exceptions.   A person that complies with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law or the law of this State is deemed to be in compliance with the requirements of this chapter section 1348 as long as the law, rules, regulations or guidelines provide for notification procedures at least as protective as the notification requirements of this chapter section 1348.

Sec. 5. Application. This Act applies to a security breach discovered by a person subject to the Maine Revised Statutes, Title 10, chapter 210-B on or after the effective date of this Act.

Effective September 12, 2009

Office of the Revisor of Statutes
State House, Room 108
Augusta, ME 04333