Can I avoid having a data breach response plan in Maine? What are the requirements?

Data Breach Response Plan Requirements in Maine

In Maine, it is mandatory for any person or entity that maintains computerized data containing personal information to have a data breach response plan ^[1.1]. The plan should include provisions for notifying residents, the person maintaining personal information, consumer reporting agencies, and state regulators in the event of a security breach ^[1.1].

The plan should be developed by an agency of the State that has jurisdiction over responding to an emergency and is deemed to be part of the comprehensive emergency management plan for the State ^[2.2].

If a licensee reasonably believes that the nonpublic information involved concerns 250 or more consumers residing in Maine and that the cybersecurity event is either of the following, then they must notify the superintendent as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event has occurred ^[4.1]:

• A cybersecurity event affecting the licensee of which notice is required to be provided to any government body, self-regulatory organization, or other supervisory body pursuant to any state or federal law; or
• A cybersecurity event that has a reasonable likelihood of materially harming any consumer residing in Maine or any material part of the normal operation of the licensee.

The licensee must provide as much information regarding a cybersecurity event as possible, including the date of the cybersecurity event, a description of how the information was exposed, lost, stolen or breached, and the total number of consumers in Maine affected by the cybersecurity event ^[4.1].

Therefore, it is not possible to avoid having a data breach response plan in Maine if you maintain computerized data containing personal information. The penalty for violating this requirement is a civil fine of up to $500 per violation, up to a maximum of $2,500 for each day the person is in violation of this chapter ^[1.2].

In addition to the data breach response plan, Maine requires licensees to develop, implement, and maintain a comprehensive, written information security program based on the licensee’s risk assessment and containing administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information systems ^[4.2].

If you have any further questions, please let me know.

Source(s):

• [1.1] Security breach notice requirements
• [1.2] Enforcement; penalties
• [2.2] Plans deemed part of statewide comprehensive plan
• [4.1] Notification of cybersecurity event
• [4.2] Information security program

Jurisdiction

Maine

• Privacy