Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- $500 to $2,500 daily

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Entities must conduct a prompt investigation of any suspected breach of security involving computerized data to determine if unauthorized access to, release of or use of personal information has occurred.
  • Entities who experience of breach of security must provide breach notification to affected state residents without delay.
  • Regulatory breach notification to the State Attorney General or the Department of Professional and Financial Regulation is required if any resident of the state is affected.
  • Reporting to the consumer reporting agencies is required if more than 1,000 state residents are affected by a breach.
  • Reporting may be delayed due to law enforcement investigation, but notification must be sent within 7 business days after the investigation is complete.
  • If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • A civil fine of $500 per violation, up to $2,500 per day, can be imposed for failing to provide timely breach notification.
  • Sector-specific state regulations (health, education, insurance) include requirements for notice, disclosure, policies, and procedures for the protection of personal information, and provide for an individual’s right to access their personal information.
Statutes and Laws
  • 10 ME Rev Stat Chapter 210-B Notice of Risk to Personal Data (§§1346 – 1350-b)

    10 ME Rev Stat Chapter 208-A Protection of Social Security Numbers

    20-A ME Rev Stat Chapter 221 School Records, Audits and Reports

    22 ME Rev Stat §§ 1711 – 1711-E Patient access, confidentiality – medical records

    24-A ME Rev Stat §§ 2201 – 2220 Insurance Information and Privacy Protection Act

BAck to map