HP0133, LD 158, item 1, An Act To Amend the Notice of Risk to Personal Data Act To Further Protect Consumers

An Act To Amend the Notice of Risk to Personal Data Act To Further Protect Consumers

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 10 MRSA §1348, sub-§1, as repealed and replaced by PL 2005, c. 583, §6 and affected by §14, is amended to read:

1. Notification to residents. The following provisions apply to notification to residents by information brokers and other persons.

A. If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

B. If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.

The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system. In no event may notice be provided later than 30 days after the discovery of the breach of the security of the system.

Sec. 2. 10 MRSA §1348, sub-§5, as amended by PL 2005, c. 583, §9 and affected by §14, is further amended to read:

5. Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the person shall immediately notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General.

Sec. 3. 10 MRSA §1349, sub-§2, ¶A, as amended by PL 2005, c. 583, §11 and affected by §14, is further amended to read:

A. A fine of not more than $500 $1,000 per violation, up to a maximum of $2,500 $5,000 for each day the person is in violation of this chapter, except that this paragraph does not apply to State Government, the University of Maine System, the Maine Community College System or Maine Maritime Academy;

summary

This bill requires that notice of a security breach pursuant to the Notice of Risk to Personal Data Act must be made no later than 30 days after discovery of the breach to residents affected by the breach and must be made immediately to state regulators. The bill also doubles the financial penalties for a civil violation.

HP0133 LD 158	Session - 126th Maine Legislature		LR 157 Item 1
	Bill Tracking, Additional Documents	Chamber Status

Bill Tracking		Chamber Status
Amendments	Testimony, Public Hearings & Work Sessions		Committee Information
Other Documents			Title & Section

Search Bill Text		Search Bill Status
Bill Directory	Session Information		Legislative Information
Download MS-Word, Printed PDF		Maine Legislature

Office of Legislative Information 100 State House Station Augusta, ME 04333		voice: (207) 287-1692 fax: (207) 287-1580 tty: (207) 287-6826
Word Viewer for Windows		Disclaimer