Your company just discovered a security breach resulting in the disclosure of personal information concerning customers, vendors, employees, or other individuals.  What now? 

The purpose of this primer is to provide an introduction to what you need to know about notification requirements under Maine's Notice of Risk to Personal Data Act, 10 M.R.S. §§ 1346-1350-B (the "Act").

The essential purpose of the Notice of Risk to Personal Data Act is informational -- to ensure prompt notification to persons at risk of identity theft.  The Act prohibits use of personal information acquired through a security breach, imposes prompt notification requirements in the event of a security breach, provides for enforcement and penalties, and requires that law enforcement provide a police report in connection with any reported misuse of personal information. 

In the absence of a uniform federal law governing notice requirements in the event of a data breach, the states have enacted a patchwork of notice requirements.  At present 46 states plus the District of Columbia, Puerto Rico and the Virgin Islands (and New York City) have enacted security breach notification laws.  The holdouts are Alabama, Kentucky, New Mexico, and South Dakota.  Maine law applies to Maine residents.  Notification to residents of other states is governed by the law of the state of residence. 

The Act is a key part of the legal puzzle when it comes to notification of data breaches involving Maine residents, but it is not the whole story.  A response to a data breach by financial institutions involves federal law.  State law tort claims (e.g., negligence) and unfair trade practices acts at the state and federal level provide incentives to respond thoughtfully to security breaches.  Relevant contracts may also address data breach, confidentiality, or related requirements.  As in any risk management situation – data breaches are no exception – insurance should also be top of mind.

Download What to do after a Data Breach: A Primer on Maine's security breach law" for more information on:

• How does the Act define a security breach?
• Who is subject to the Act?
• How is "personal information" defined?
• Does the Act apply to paper records?
• Do I have to investigate once I become aware of a security breach?
• What triggers the duty to notify?
• Who has to be notified?
• Does Maine have a notification form?
• What are the required contents of the notification?
• How quickly do I have to notify?
• Are there penalties for non-compliance with the Act?
• Does the Act create a private right of action?

Questions?

For further information about security breach reporting requirements and related privacy or confidentiality issues, please contact Sig Schutz at Preti Flaherty's Portland, Maine office at [email protected] or 207-791-3000.  Sig and other attorneys at Preti Flaherty have advised numerous companies in responding to security breaches and the firm has served as defense counsel in security breach litigation.