10 §1347. Definitions

Title 10: COMMERCE AND TRADE

Part 3: REGULATION OF TRADE

Chapter 210-B: NOTICE OF RISK TO PERSONAL DATA HEADING: PL 2005, C. 379, §1 (NEW)

§1347. Definitions

As used in this chapter, unless the context otherwise indicates, the following terms have the following meanings. [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

1. Breach of the security of the system. "Breach of the security of the system" or "security breach" means unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person. Good faith acquisition, release or use of personal information by an employee or agent of a person on behalf of the person is not a breach of the security of the system if the personal information is not used for or subject to further unauthorized disclosure to another person.

[ 2009, c. 161, §1 (AMD); 2009, c. 161, §5 (AFF) .]

2. Encryption. "Encryption" means the disguising of data using generally accepted practices.

[ 2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF) .]

3. Information broker. "Information broker" means a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated 3rd parties. "Information broker" does not include a governmental agency whose records are maintained primarily for traffic safety, law enforcement or licensing purposes.

[ 2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF) .]

4. Notice. "Notice" means:

A. Written notice; [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

B. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 United States Code, Section 7001; or [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

C. Substitute notice, if the person maintaining personal information demonstrates that the cost of providing notice would exceed $5,000, that the affected class of individuals to be notified exceeds 1,000 or that the person maintaining personal information does not have sufficient contact information to provide written or electronic notice to those individuals. Substitute notice must consist of all of the following:

(1) E-mail notice, if the person has e-mail addresses for the individuals to be notified;

(2) Conspicuous posting of the notice on the person's publicly accessible website, if the person maintains one; and

(3) Notification to major statewide media. [2005, c. 583, §14 (AFF); 2005, c. 583, §2 (AMD).]

[ 2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF); 2005, c. 583, §14 (AFF); 2005, c. 583, §2 (AMD) .]

5. Person. "Person" means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities. "Person" as used in this chapter may not be construed to require duplicative notice by more than one individual, corporation, trust, estate, cooperative, association or other entity involved in the same transaction.

[ 2005, c. 583, §14 (AFF); 2005, c. 583, §3 (AMD) .]

6. Personal information. "Personal information" means an individual's first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

A. Social security number; [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

B. Driver's license number or state identification card number; [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

C. Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords; [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

D. Account passwords or personal identification numbers or other access codes; or [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

E. Any of the data elements contained in paragraphs A to D when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised. [2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF).]

"Personal information" does not include information from 3rd-party claims databases maintained by property and casualty insurers or publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

[ 2005, c. 583, §14 (AFF); 2005, c. 583, §4 (AMD) .]

7. System. "System" means a computerized data storage system containing personal information.

[ 2005, c. 379, §1 (NEW); 2005, c. 379, §4 (AFF) .]

8. Unauthorized person. "Unauthorized person" means a person who does not have authority or permission of a person maintaining personal information to access personal information maintained by the person or who obtains access to such information by fraud, misrepresentation, subterfuge or similar deceptive practices.

[ 2005, c. 583, §14 (AFF); 2005, c. 583, §5 (AMD) .]

SECTION HISTORY

2005, c. 379, §1 (NEW). 2005, c. 379, §4 (AFF). 2005, c. 583, §§1-5 (AMD). 2005, c. 583, §14 (AFF). 2009, c. 161, §1 (AMD). 2009, c. 161, §5 (AFF).