SP0209
LD 696
PUBLIC Law, Chapter 512

on - Session - 129th Maine Legislature
 
 
Bill Tracking, Additional Documents Chamber Status

An Act To Require Municipalities and School Districts To Provide Notice of Breaches in Personal Data Security

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 10 MRSA §1347, sub-§5,  as amended by PL 2005, c. 583, §3 and affected by §14, is further amended to read:

5. Person.   "Person" means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities. "Person" as used in this chapter may not be construed to require duplicative notice by more than one individual, corporation, trust, estate, cooperative, association or other entity involved in the same transaction.

Sec. 2. 10 MRSA §1348, sub-§1,  as repealed and replaced by PL 2005, c. 583, §6 and affected by §14, is amended to read:

1. Notification to residents.   The following provisions apply to notification to residents by information brokers and other persons.
A. If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
B. If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.

The notices required under paragraphs A and B must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement pursuant to subsection 3 or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security and confidentiality of the data in the system. If there is no delay of notification due to law enforcement investigation pursuant to subsection 3, the notices must be made no more than 30 days after the person identified in paragraph A or B becomes aware of a breach of security and identifies its scope.

Sec. 3. 10 MRSA §1349, sub-§2, ¶A,  as amended by PL 2005, c. 583, §11 and affected by §14, is further amended to read:

A. A fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation of this chapter, except that this paragraph does not apply to State Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System or Maine Maritime Academy;

Effective 90 days following adjournment of the 129th Legislature, First Regular Session, unless otherwise indicated.


Top of Page