Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 30 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- $500 to $2,500 daily

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Entities must conduct a prompt investigation of any suspected breach of security involving computerized data to determine if unauthorized access to, release of or use of personal information has occurred and whether the personal information has been or could be misused.
  • If there is no delay because of a law enforcement investigation of a breach, then breach notification must be sent within 30 days to affected residents of Maine.
  • If notification is delayed due to law enforcement investigation, notification must be sent within 7 business days after the investigation is complete.
  • Regulatory breach notification to the State Attorney General or the Department of Professional and Financial Regulation is required if any resident of the state is affected.
  • Reporting to the consumer reporting agencies is required if more than 1,000 state residents are affected by a breach.
  • If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • A civil fine of $500 per violation, up to $2,500 per day, can be imposed for failing to provide timely breach notification.
  • Sector-specific state regulations (health, education, insurance) include requirements for notice, disclosure, policies, and procedures for the protection of personal information, and provide for an individual’s right to access their personal information.
  • Internet services providers (ISP) operating in Maine must provide notice of customer’s rights at the point of sale and get express consent of customers who reside in the state for the use, disclosure, sale of or access to their personal information. A customer may cancel their consent at any time.
  • ISP must implement security measures to protect customer personal information from unauthorized use, disclosure or access.
Statutes and Laws
  • 10 ME Rev Stat Chapter 210-B Notice of Risk to Personal Data (§§1346 – 1350-b)

    10 ME Rev Stat Chapter 208-A Protection of Social Security Numbers

    20-A ME Rev Stat Chapter 221 School Records, Audits and Reports

    22 ME Rev Stat §§ 1711 – 1711-E Patient access, confidentiality – medical records

    24-A ME Rev Stat §§ 2201 – 2220 Insurance Information and Privacy Protection Act

    35-A ME Rev Stat § 9301 Privacy of Broadband Internet Access Service Customer Personal Information

BAck to map