Publications
February 6, 2012

What to do After a Data Breach: A Primer on Maine's Security Breach Law

Your company just discovered a security breach resulting in the disclosure of personal information concerning customers, vendors, employees, or other individuals.  What now? 

The purpose of this primer is to provide an introduction to what you need to know about notification requirements under Maine's Notice of Risk to Personal Data Act, 10 M.R.S. §§ 1346-1350-B (the "Act").

The essential purpose of the Notice of Risk to Personal Data Act is informational -- to ensure prompt notification to persons at risk of identity theft.  The Act prohibits use of personal information acquired through a security breach, imposes prompt notification requirements in the event of a security breach, provides for enforcement and penalties, and requires that law enforcement provide a police report in connection with any reported misuse of personal information. 

In the absence of a uniform federal law governing notice requirements in the event of a data breach, the states have enacted a patchwork of notice requirements.  At present 46 states plus the District of Columbia, Puerto Rico and the Virgin Islands (and New York City) have enacted security breach notification laws.  The holdouts are Alabama, Kentucky, New Mexico, and South Dakota.  Maine law applies to Maine residents.  Notification to residents of other states is governed by the law of the state of residence. 

The Act is a key part of the legal puzzle when it comes to notification of data breaches involving Maine residents, but it is not the whole story.  A response to a data breach by financial institutions involves federal law.  State law tort claims (e.g., negligence) and unfair trade practices acts at the state and federal level provide incentives to respond thoughtfully to security breaches.  Relevant contracts may also address data breach, confidentiality, or related requirements.  As in any risk management situation – data breaches are no exception – insurance should also be top of mind.

Download What to do after a Data Breach: A Primer on Maine's security breach law" for more information on:

  • How does the Act define a security breach?
  • Who is subject to the Act?
  • How is "personal information" defined?
  • Does the Act apply to paper records?
  • Do I have to investigate once I become aware of a security breach?
  • What triggers the duty to notify?
  • Who has to be notified?
  • Does Maine have a notification form?
  • What are the required contents of the notification?
  • How quickly do I have to notify?
  • Are there penalties for non-compliance with the Act?
  • Does the Act create a private right of action?

Questions?

For further information about security breach reporting requirements and related privacy or confidentiality issues, please contact Sig Schutz at Preti Flaherty's Portland, Maine office at [email protected] or 207-791-3000.  Sig and other attorneys at Preti Flaherty have advised numerous companies in responding to security breaches and the firm has served as defense counsel in security breach litigation.

Firm Highlights

Press Coverage

Bangor superintendent blocked BDN reporter on Twitter after critical news coverage

In an apparent violation of the First Amendment, Bangor schools superintendent Betsy Webb temporarily blocked a journalist on Twitter following a report that news of a student suicide was announced over the loudspeaker at...

Event

2020 Employment Breakfast Series: Strengthening Your Company's Management of Accommodation Requests

For more than 25 years, Preti Flaherty's Employment Law Group has been keeping clients, business partners, and friends up to date on recent developments in employment law. Join us as we continue that tradition...

News

Preti Flaherty Attorney Benjamin S. Piper Promoted to Partner

Preti Flaherty is pleased to announce that the firm’s partnership has named attorney Benjamin S. Piper as a partner. Ben is a member of the firm's Environmental, Litigation, and Media Law Practice Groups and works...

News

Preti Flaherty Welcomes Government Relations Liaison Andrew I. Roth-Wells to the Firm

Preti Flaherty is pleased to announce that Andrew I. Roth-Wells has joined the firm as a Government Relations Liaison. Andrew will help manage legislative and regulatory advocacy efforts for the firm’s Government Affairs Team...

Publication

The Potential of the Blockchain for Asset Protection Planning

While many legal scholars focus on the challenges and complications seemingly inherent to blockchain and cryptocurrency, others look past the fear and see potential. In this article for Cumberland Law Review , Ian Huyett and Brian Quirk...

Event

2020 Cannabis Law Breakfast - Winter Update

Press Coverage

Maine State Police May Be Spying on You

Police and governments are increasingly turning to new tracking and monitoring methods in their efforts to prevent and record evidence of crimes. A Portland Press Herald investigation examines these expanding law enforcement abilities and the...

Publication

ConsensusDocs vs. AIA - Which Contract Is Best for Contractors?

Choosing the right contract is essential to protecting your rights as a contractor. AIA Contracts have long been the industry standard, but Consensus Docs are fast becoming a reasonable option. In this article, Nathan...

Event

2020 Employment Law Series: A Legislative Update for HR Professionals

For more than 25 years, Preti Flaherty's Employment Law Group has been keeping clients, business partners, and friends up to date on recent developments in employment law. Join us as we continue that tradition...

Publication

Litigation and Arbitration Venue Provisions in Construction Contracts: When and How They Work

Venue and choice-of-law provisions are fairly standard in construction contacts, but can be overlooked due to their location within a contract. When drafted effectively, these provisions can help limit uncertainty about where and how...