PL 2005, c. 583, 6-9 (AMD). A Q&A guide to state data breach notification laws in Maine. Includes any final court order or arbitration award in favor of your financial institution or pursuant to which your financial institution has been ordered to pay any damages and/or costs. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media. Maine - Lewis Brisbois Bisgaard & Smith LLP The Security Guidelines were issued with a view toward preventing or responding to foreseeable threats to, or unauthorized access or use of, customer information. The essential purpose of the Notice of Risk to Personal Data Act is informational -- to ensure prompt notification to persons at risk of . Security breach notice requirements 1. We were told this data breach may have included . The Federal Trade Commission has a great deal of helpful guidance for businesses to help with the task of keeping customer information secure, including a brochure Protecting Personal Information: A Guide for Businesses, http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business. The Bureaus survey contained two parts. Other (Identify)TOTAL PLEASE NOTE: Legislative Information cannot perform research, provide legal advice, or interpret Maine law. Any of the above data elements when not in connection with the individuals first name, or first initial, and last name, if the information compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised. Responses For many financial institutions, no audits were conducted. Dont store sensitive info on computers with internet connections, Regularly run anti-spyware and anti-virus programs, Encrypt sensitive data you send to outside entities and consider encrypting data you store (might still get hacked, but hacker cant use data), Require employees to use passwords and make sure they are strong passwords, and always change default passwords when you get new software, Use Firewalls to protect your computers while they are connected to the internet, Employee background checks and training and good exit procedures when an employee leaves (e.g. For each breach that occurred, the Bureau asked each financial institution to describe what personal information was breached, to the extent it is described in any breach notifications, such as CAMS alerts, received by the financial institution (e.g., Track 1 or 2 data). 1346 1350-B, (Data Act) has been effective since January 1, 2006. Various data breach notification laws have also been passed in other states in response to a growing national concern about identity theft in the wake of several large and well publicized data breaches. Once identified, financial institutions may respond accordingly. A third party that maintains, on behalf of another Entity, computerized data that includes PI that the third party does not own shall notify the owner of the PI of a breach of the security of the system immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person. Notification to residents., [PL 2005, c. 583, 6 (NEW); PL 2005, c. 583, 14 (AFF). Nonstop Administration and Insurance Services, Inc. on behalf of Mat-Su health Services, Inc. Advanced Technology Ventures & Lightstone Ventures, Stephan Pelletier & Sons, Inc. - updated. If an Entity suffers a security breach requiring notification of more than 500 IA residents than the Entity will give written notice following discovery of such breach, or receipt of notification required by third parties, to the director of the consumer protection division of the Attorney General's office. Use wipe utility programs when discarding old computers or storage devices. 1346 ("Maine's Data Breach Law"). d) The PCI Standard In addition to the laws that seek to prevent data breach and deter identity theft, the card industry itself has standards designed to prevent breach and deter fraud. APPENDIX A: Data Security Breach Questions Data Security Breach Questions Introduction Pursuant to L.D. Then within 7 days after law enforcement determines that notification will not compromise any criminal investigation. The Bureau was further mandated to submit its findings to the Insurance and Financial Services Joint Standing Committee by December 1, 2008. The definitions in this chapter apply throughout this article. The awareness standard that triggers the investigation is deliberately low. 10 1346 sets forth the protocol that agencies, businesses, and organizations within the state of Maine are required to follow in the event that said entities experience a security breach that leads to the unauthorized disclosure of personal information pertaining to residents of the state. An information broker or any other person who becomes aware of a breach of his or her computer systems security must investigate the problem in good faith, reasonably and promptly. Electronic Maine Security Breach Reporting Form Maine Data Breach Notices (12/6/2018 - 9/14/2020) (MS Excel) Maine Data Breach Notices (8/1/2010 - 12/5/2018)(MS Excel) Although these CAMs alerts did not identify the source of the breach, the Bureau was able to identify and group these CAMs alerts by source, inferring from the proximity of the dates of the CAMs alerts and their code numbers. A person that complies with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law or the law of this State is deemed to be in compliance with the notification obligations as long as the law, rules, regulations or guidelines provide for notification procedures at least . CAMs alerts were the only alert mentioned by name. For this safe harbor to apply, the other laws notification requirements must be at least as protective as the Data Acts requirements. Identify breach and date of occurrence: DirectIndirectAffected AccountsEstimated Hours$$##1. Planned Parenthood of Northern New England, Inc. Medscan Laboratory, Inc. ("Adaptive Health Integrations"), Professional Personnel Services d/b/a Luttrell Staffing Group, Atalanta Corporation and related Gellert Global Group entities, Stuart Country Day School of the Sacred Heart. Volunteers of America Chesapeake & Carolinas (VOACC), NORTH CAROLINA BOARD OF PHYSICAL THERAPY EXAMINERS, Barton Cotton Religious Products & Services, LLC, Beth Moore & Associates, CPAs (Beth Moore), Nonstop Administration and Insurance Services, Inc. on behalf of Golden Gate University, Premere Rehab, LLC / Signature Healthcare at Home / Avamere Health Services, LLC. Before discussing the impact of data breaches on Maines financial institutions, Part I of this Report will review the various laws, guidelines and regulations that help prevent identity theft by requiring or encouraging safekeeping of personal information by financial institutions and other businesses. These federal guidelines require the establishment of an identity theft prevention program within every financial institution that is designed to detect, prevent and mitigate identity theft in connection with covered accounts, including personal debit and credit card accounts. FTC Disposal Rule specific to consumer credit reports requires organizations that obtain consumer credit reports to properly dispose of that sensitive information. The bills modify the data breach notification requirements and. Depending on sophistication of your systems could mean off the shelf security software, or a professional security audit. The Court held that the economic loss rule barred the financial institutions' negligence claim because they claimed damages only for economic losses, not for damages to persons or property. For a list of the regulating agencies at the Department of Professional and Financial Regulation and information about their respective responsibilities, see the Departments website here. Maines Data Breach Law is typical of many other state laws in defining what type of lost personal information requires notification. Free/Discounted Services to customers13. External Legal (a) Investigation/consultation (b) Defendant/third party costs (c) Plaintiff costs5. Any individual, corporation, business trust, estate, trust, partnership, association, nonprofit corporation or organization, cooperative, state agency or any other legal entity (collectively, Entity) that owns or licenses computerized data that includes PI. Maines Data Breach Law requires that notice must be given to residents expediently and without delay, but consistent with the legitimate needs of law enforcement or with measures necessary to determine the scope of the breach. The Hannaford breach had the largest impact, affecting the most institutions (71), the highest number of affected account holders (243,599), and had the largest dollar cost ($1.6 million). The Bureau asked each financial institution to be as specific as possible in identifying each breach, e.g., entity name where the breach occurred (including the name of your financial institution, if applicable), or, if unavailable, the entity type, date or code number, as indicated on any CAMS (Compromised Account Management System) or similar fraud alerts. Each of these settlements required these entities to establish and implement a comprehensive information security program and to submit to third party audits for 20 years. What to do After a Data Breach: A Primer on Maine's Security Breach Law Notification Obligation. Once fraud has taken place, the Electronic Funds Transfer Act (implemented by federal Regulation E) protects consumers in the event of data breach occurrences. The term Track 1 data, on the other hand, means that the information contained in the magnetic strips of credit and debit cards is more dense, does contain alphabetic text and, hence, contains the cardholders name. a hacker) infiltrates your system. The standard originally began as a number of individual programs established separately by each of the major credit card companies. SECURITY BREACH NOTIFICATION CHART - Indiana | Perkins Coie PAGE 30 MAINE DATA BREACH STUDY PAGE 29 MAINE DATA BREACH STUDY PAGE 9 MAINE DATA BREACH STUDY PAGE 27 MAINE DATA BREACH STUDY RESOLVE Chapter 152, 123rd Maine State Legislature Resolve, Directing the Bureau of Financial Institutions To Study Data Security Breaches in the State RESOLVE Chapter 152, 123rd Maine State Legislature Resolve, Directing the Bureau of Financial Institutions To Study Data Security Breaches in the State LR 2889, item 1, SIGNED on 2008-03-17 - 123rd Legislature, page . An enforcing agency at the Department of Professional and Financial Regulation, or if applicable the Attorney General, may seek to impose a fine of up to $500 per violation for each day the person violates the law, equitable relief, or an injunction against further violations of the Data Act. The following are answers to basic questions about the Data Act. Judgment( in favor( )9. chapter 210-B. East Tennessee Children's Hospital Association Inc. Substitute notice shall consist of all of the following: Penalties. Recent Amendments to State Breach Notification Laws SECURITY BREACH NOTIFICATION CHART - Maine | Perkins Coie A. This notice must include the date of the breach, an estimate of the number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach. If notice is not delayed due to law enforcement, notification must be made no more than 30 days after becoming aware of the breach and identifying its scope. Data Breach Notifications - Maine Answers to questions can be compared across a number of jurisdictions (see Data Breach Notification: State Q&A Tool). Learn how to protect yourself from identity theft. Leave shaded cells blank.) Under Minnesotas law, these costs may include, but are not limited to: (1) the cancellation or reissuance of any access device affected by the breach; (2) the closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions with respect to the accounts; (3) the opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach; (4) any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach; and (5) the notification to cardholders affected by the breach. If content on this page is inaccessible and you would like to request the information in a different format, please contact (207) 626-8800 and it will be provided to you. The Hannaford fraud losses occurred in more than 712 accounts (five of the 22 institutions that suffered a fraud loss did not report the number of accounts). On October 22, 2008, the FTC announced that it would suspend enforcement of the new Red Flags Rule until May 1, 2009, to give non-bank creditors and state-chartered financial institutions additional time in which to develop and implement written identity theft prevention programs. (The court found that BJs had breached its contract with VISA, more particularly, VISAs operating regulations which include the Cardholder Information Security Program, or CISP, providing for security requirements relating to the protection of cardholder information.) Dayton, Inc. dba Dayton Ritz and Osborne, Welfare & Pension Administration Service, Inc. on behalf of relevant Data Owner(s), California Pet Partners, LLC dba Dr. Marty, Villanova Insurance Partners and Elite MGA, LLC, Sites Stinson LLC Micheal Wentworth, Siracusa, Peter Brasseler Holdings, LLC; Brasseler U.S.A. Quantum Imaging and Therapeutics Associates, Inc. FKG Oil Company, d/b/a Moto and MotoMart c-stores, and Gias Pizza, a wholly owned subsidiary of Moto, Inc. ("Moto"), Laborers International Union of North America Local 1098 (LIUNA Local 1098), Fort McClellan Credit Union ("Fort McClellan"). Several other financial institutions reported that they first learned of data breaches directly from their card or data service processors (e.g., Elan, Metavante and Fair Isaac), and one reported learning of the breach through the Maine Association of Community Banks (MACB). The notices must be made as expediently as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with measures necessary to determine the scope of the security breach and restore the reasonable integrity, security, and confidentiality of the data in the system. The elements of the program must include procedures to identify and detect patterns, practices, or activities considered to be red flags that indicate possible identity theft. Submitted Breach Notification Sample - Department of Justice When notice of breach is required, notification can be provided either in writing or electronically. Losses sustained as a result of actual fraudulent or unauthorized transfers from accounts. In addition to sending letters, some smaller financial institutions notified their customers by telephone, some financial institutions posted website alerts, and at least one established a dedicated hotline for customers who had questions about the data breach. Personal information also does not include information from third-party claims databases maintained by property and casualty insurers. PL 2005, c. 583, 14 (AFF). Resolved: That the Department of Professional and Financial Regulation, Bureau of Financial Institutions shall submit its findings under section 1 to the joint standing committee of the Legislature having jurisdiction over insurance and financial services matters by December 1, 2008. ( Items 8 and 9. These actions help prevent identity theft, defined in the guidelines as a fraud committed or attempted by using the identifying information of another person without authority. Today's technology provides us with extraordinary benefits. In a minority of cases, financial institutions provided their customers with the option of having their cards replaced. The CAMS alert notifies financial institutions of the accounts that may have been compromised. For example, an institution may have reported an investigation expense but not attributed any hours to that action. Fiondella Milone & Lasaracina, LLP on behalf of relevant Data Owner(s). Pursuant to the updated Authentication Guidance, the Federal agencies state that single-factor authentication is inadequate for high-risk transactions involving access to customer information over the Internet or the movement of funds to other parties. Judgment( against (a) Insurance Recovery( )10. In addition to this information, some financial institutions reported on the communication chains following discovery of a breach, starting with internal notifications to management and employees, followed by notification to customers, providing website alerts, establishing hotlines, hot carding or soft carding cards, reissuing new cards, and monitoring of unauthorized or fraudulent activities. An amendment effective September 19, 2019 added municipalities and school administrative units to the list of public entities subject to the Data Act and put a 30-day cap on the time in which notification of a breach must be made, unless there has been a law enforcement delay. Those subject to the Data Act should err on the side of investigating potential breaches and should tailor each investigation to the facts of the particular breach. It has given us the ability to conduct business online, share information about ourselves with those who live thousands of miles away and access information at the "speed of light." The Security Guidelines established standards relating to administrative, technical and physical safeguards to ensure the security, confidentiality, integrity and proper disposal of customer information. In Maine, if you are a company that has experienced a computerized data security breach and are required to report the breach to the Attorney General, you can use this Maine Security Breach Reporting Form. The Data Act prohibits an unauthorized person from releasing or using an individuals personal information acquired through a data security breach. However, in all three cases, the numbers reported were generally of the same order. Data for this page extracted on 10/04/2022 15:47:00. As mentioned above, a CAMS alert is an email sent out by a card issuer (i.e., Visa) after it has verified that an account compromise potentially has occurred. However, this announcement does not affect other federal agencies enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance. Consumers must be notified of cybersecurity events in accordance with Maine's general data breach notification law. Goodwill Industries of Greater New York and Northern NJ, Inc. Lourdes University, Sisters of St. Francis of Sylvania, Various Data Owners, As Identified in Appendix to Letter, Berkshire Farm Center & Services for Youth, Legacy Operating Company d/b/a Legacy Hospice, The New York City Convention Center Operating Corporation d/b/a Javits Center, Donlen Corporation, now known as Sellerco Corporation, Vivendi Ticketing US LLC (d/b/a See Tickets US), The Research Foundation for the State University of New York. Data Breach Notifications - Maine National Board for Certified Counselors, Inc. However, in cases where entities are regulated by the Department of Professional and Financial Regulation, such as financial institutions, the relevant Bureau within the Department is responsible for enforcement. 1348. Security breach notice requirements - Maine State Legislature Data Breach Notification Statute (Full Text) IC 24-4.9-1-1 Limits on application. Texas Medical Liability Trust on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group (collectively TMLT). tit. DOC DATA BREACH STUDY - Maine See Table 7 below for more details. For each breach, how many accounts, if any, were subject to unauthorized or fraudulent transfers and what amount from your financial institution was transferred fraudulently or without authorization? In the case of very large breaches, Maines law allows for substitute notice via email, conspicuous posting and statewide media, if: (a) providing normal written notice would cost over $5,000; (b) the number of affected persons exceeds 1,000; or (c) there is insufficient contact information. hZg hZg >* CJ UVmH nH uhZg hZg >* CJ j hZg hZg >* CJ U 7 C ] ^ _ ` a b c $ $ Ha$gd` 0 H $ Ha$ $a$ - To view PDF or Word documents, you will need thefree document readers. Settlement paid out (a) Insurance Recovery( )11. It includes individuals and business entities. against BJ's Wholesale Club Inc. were dismissed by a Pennsylvania Federal District Court. Notification to person maintaining personal information., [PL 2005, c. 583, 7 (AMD); PL 2005, c. 583, 14 (AFF). For the 34 institutions with assets less than $100 million, the average time per reissued card was 8 minutes, with a low of 1 minute and a high of 49 minutes, in addressing the Hannaford breach. Notice may be provided by one of the following methods: Substitute Notice Available. 696 (signed into law June 28, 2019, Chapter 512). External Consultant7. The Data Act covers information brokers and other persons who maintain computerized data that includes personal information. However, if the consumer fails to give notice within this 60 day period, the consumer may be liable for any transactions occurring after the close of this 60 day period and before the consumer gives notice to the institution. The definition of person is broad. Responses In general, the number of accounts, customers or cards affected at each financial institution was proportionate to the financial institutions total assets (i.e., the smaller the financial institutions assets, the lower the number of accounts affected). Indiana Amends Data Breach Notification Law - National Law Review Named the Alabama Data Breach Notification Act of 2018 (S.B. U.S. State Data Breach Lists - International Association of Privacy For legal assistance, please contact a qualified attorney. Generally, financial institutions decided to mail notifications to customers, informing them that their accounts would be hot carded and that new cards would be issued together with pin numbers. Others subject to the Data Act must notify any Maine resident whose personal information has been or is reasonably possible to be misused. Notification to state regulators., [PL 2005, c. 583, 9 (AMD); PL 2005, c. 583, 14 (AFF).]. 1312, enables consumers to place a security freeze on their credit report so that an unauthorized third party may not apply for credit in that persons name. Email notice, if the Entity has email addresses for the individuals to be notified; Conspicuous posting of the notice on the Entitys website, if the Entity maintains one; and. The purpose of the Data Act is to warn those at risk of identity theft or other loss resulting from release of personal information so that they in turn can take steps to protect themselves. Sample of Notice: ARX Patient Solutions Data Breach Notification Letters. In addition to penalties for persons that fail to disclose a data breach, Maine recently passed a criminal law designed to deter and punish those who misuse identifying information like that obtained in a data breach (17-A M.R.S.A 905-A). Security Breach Definition. The Bureaus survey revealed that most of the responding financial institutions were affected by the TJX and Hannaford data breaches. Unfortunately, it has also provided the same benefits to identity thieves who use someone else's personal financial information to access bank accounts and obtain credit, often destroying the life savings and good credit history of innocent victims. 672 (signed into law May 19, 2009, Chapter 161), L.D. computers, storage discs or tapes, flash drives, Blackberries, computerized phone systems. With respect to the Hannaford breach, the lowest number was 95 and the highest number was 11,793. Further, detailed comparisons between the TJX breach and the Hannaford breach are limited, mostly because more and better records were generally maintained on the Hannaford breach based on the experience gained from the earlier TJX breach. 2020 of a data breach by Netsential, a company that provides third-party web hosting services to over 200 law enforcement and government agencies throughout the United States. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system. b) Federal guidelines Pursuant to Maines Data Breach Law, financial institutions that comply with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law are deemed to be in compliance with the requirements of Maines Data Breach Law as long as the law to which the financial institution is subject is at least as protective as Maines Data Breach Law. Minnesotas law was passed in August 2007, and the section in the law providing liability for costs became effective on August 1, 2008. One provision requires credit card machines to truncate all credit and debit card numbers on non-manual receipts. PL 2005, c. 379, 1 (NEW). If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the sec. Home PL 2009, c. 161, 3 (AMD). Rev. PupBox, c/o Petco Animal Supplies Stores, Inc. Dirigo Management Company -- CORRECTED NOTICE, Custom Benefit Programs, Inc., an Aon Company, IMI Precision Engineering d/b/a Bimba Manufacturing, Pirate (a/k/a RedCap) Staffing using Carvin Software & Consulting Services, Cross Timbers Health Clinics d/b/a AccelHealth, International Chapter of the P.E.O. Responses There was only one report of a data breach that occurred at a financial institution since January 1, 2007. In 2005 and 2006, the FTC announced significant settlements with entities, including ChoicePoint, that have had personal information data under their control breached or compromised (FTC File No. TABLE 9 TIME DISTRIBUTION BY CARDS REISSUED TJXHannafordCards Reissued# FIAveRange# FIAveRange0 49915254 20611144 49500 9999134 286251 731,000 2,49914165 531892 252,500 4,999342 52071 215,000 7,499155862 157,500+0N/A211 2TOTAL42122 - 2066571 73 Table 10 provides the same data as Table 9, but is based on the asset size of the institutions. By continuing to use this website, you are demonstrating your consent to the placement and use of cookies as described in ourCookie Policy., SECURITY BREACH NOTIFICATION CHART - Maine, We use cookies on this website to enhance your user experience and to improve the quality of our site. Reissuance costs (a) credit card reissuance (b) debit card reissuance (c) other reissuance (e.g., checks)4.

Valero Credit Card Customer Service, House Rent In Switzerland Per Month, Baker County School Calendar 23-24, Eisenhower Maxpreps Basketball, Trenton Central Girls Basketball 2023, Articles M