SP0697
LD 1995
Session - 129th Maine Legislature
C "A", Filing Number S-471, Sponsored by
LR 3022
Item 2
Bill Tracking, Additional Documents Chamber Status

Amend the bill in section 1 in §2262 in the first paragraph in the first line (page 1, line 8 in L.D.) by inserting after the following: " and" the following: ' exclusive'

Amend the bill in section 1 in §2263 by striking out all of subsection 1 (page 1, lines 16 to 19 in L.D.) and inserting the following:

1 Authorized individual.   "Authorized individual" means an individual whose access to the nonpublic information held by the licensee and its information systems is authorized and determined by the licensee to be necessary and appropriate.

Amend the bill in section 1 in §2263 by striking out all of subsection 7 (page 2, lines 10 to 12 in L.D.) and inserting the following:

7 Insurance carrier.   "Insurance carrier" has the same meaning as in section 2204, subsection 15.

Amend the bill in section 1 in §2263 in subsection 10 by inserting at the end a new blocked paragraph to read:

"Nonpublic information" does not include a consumer's personally identifiable information that has been anonymized using a method no less secure than the safe harbor method under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

Amend the bill in section 1 in §2264 in subsection 2 in paragraph B in the first line (page 3, line 36 in L.D.) by inserting after the following: " against" the following: ' reasonably foreseeable'

Amend the bill in section 1 in §2264 in subsection 6 in paragraph B in the last line (page 6, line 16 in L.D.) by inserting after the following: " accessible" the following: ' to'

Amend the bill in section 1 in §2264 in subsection 9 in the first line (page 7, line 1 in L.D.) by striking out the following: " February" and inserting the following: ' April'

Amend the bill in section 1 in §2265 by striking out all of subsection 2 (page 7, lines 25 to 28 in L.D.) and inserting the following:

2 System maintained by 3rd-party service provider.   If a licensee learns that a cybersecurity event has or may have occurred in an information system maintained by a 3rd-party service provider, the licensee shall either use its best efforts to complete the steps listed in subsection 1 or confirm that the 3rd-party service provider has completed those steps.

Amend the bill in section 1 in §2266 in subsection 1 in the 3rd line (page 7, line 35 in L.D.) by striking out the following: " 72 hours" and inserting the following: ' 3 business days'

Amend the bill in section 1 in §2266 in subsection 5 in paragraph A in subparagraph (1) in the 2nd line (page 9, line 32 in L.D.) by striking out the following: " 72 hours" and inserting the following: ' 3 business days'

Amend the bill in section 1 in §2266 in subsection 5 in paragraph B in subparagraph (1) in the 2nd line (page 10, line 2 in L.D.) by striking out the following: " 72 hours" and inserting the following: ' 3 business days'

Amend the bill in section 1 in §2266 in subsection 6 in the 6th line (page 10, line 13 in L.D.) by striking out the following: " as soon as practicable" and inserting the following: ' no later than the time consumers must be notified under subsection 3 or'

Amend the bill in section 1 in §2269 in subsection 1 in the last line (page 11, line 12 in L.D.) by inserting after the following: " contractors" the following: ' working for the licensee in the business of insurance'

Amend the bill in section 1 in §2269 by striking out all of subsection 2 (page 11, lines 13 to 18 in L.D.) and inserting the following:

2 Licensees subject to federal law.   The following provisions apply to licensees subject to federal law.
A A licensee that is subject to and in compliance with the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and related privacy, security and breach notification regulations pursuant to 45 Code of Federal Regulations, Parts 160 and 164 and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5 is considered to meet the requirements of this chapter, other than the requirements of section 2266, subsection 1 for notice to the superintendent, if:

(1) The licensee maintains a program for information security and breach notification that treats all nonpublic information relating to consumers in this State in the same manner as protected health information;

(2) The licensee annually submits to the superintendent a written statement certifying that the licensee is in compliance with the requirements of this paragraph; and

(3) The superintendent has not issued a determination finding that the applicable federal regulations are materially less stringent than the requirements of this chapter.

B A licensee that is a producer business entity owned by a depository institution and maintains an information security program in compliance with the standards for safeguarding customer information as set forth pursuant to the Gramm-Leach-Bliley Act, 15 United States Code, Sections 6801 and 6805 is considered to meet the requirements of section 2264 if:

(1) Upon request, the licensee produces documentation satisfactory to the superintendent that independently validates the controlling depository institution's adoption of an information security program that satisfies the standards for safeguarding customer information;

(2) The licensee annually submits to the superintendent a written statement certifying that the licensee is in compliance with the requirements of this paragraph; and

(3) The superintendent has not issued a determination finding that the standards for safeguarding customer information are materially less stringent than the requirements of section 2264.

Amend the bill in section 1 in §2272 in the first paragraph in the first line (page 11, line 34 in L.D.) by striking out the following: " January" and inserting the following: ' June'

Amend the bill in section 1 in §2272 in the first paragraph in the 2nd line (page 11, line 35 in L.D.) by striking out the following: " January" and inserting the following: ' June'

Amend the bill by relettering or renumbering any nonconsecutive Part letter or section number to read consecutively.

summary

This amendment makes the following changes to the bill.

1. It clarifies the definitions of "authorized individual," "insurance carrier" and "nonpublic information."

2. It extends the time period for notification of a cybersecurity event from 72 hours to no later than 3 business days.

3. It changes the date that an insurance carrier annually certify compliance with the requirements for an information security program from February 15th to April 15th.

4. It clarifies the exemption for small business licensees and for certain licensees subject to federal law.

5. It changes the effective date to June 1, 2021.

FISCAL NOTE REQUIRED
(See attached)


Top of Page