Maine’s surprising role in data breach reporting

The way disclosures should be.

CDK. Find Great People. Varsity Brands. It seems like every cybersecurity breach gets reported on first through the state of Maine—a surprising role for the small northern New England state with a population just over one million, and growing slowly.

But it makes sense once you get a better idea of the law. The reason, according to Danna Hayes, office special assistant at the Maine Attorney General’s office, is likely that the state’s law around cybersecurity reporting is so strict.

“Maine’s law requires disclosure if one Maine resident has been affected,” Hayes told IT Brew in an email. “While I can’t speak to other states’ laws or practices, I believe that might be why Maine’s disclosures are often cited.”

Legal eagles. The law in question? Maine’s Notice of Risk to Personal Data Act. The law covers the responsibilities of information and data brokers who suffer breaches, specifically to “give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.” The emphasis on “a resident” means that all it takes is one.

For years, Maine, along with Nevada and California, had the strongest privacy reporting requirements in the country. Today, more states have gotten on board with stricter requirements. And Maine lawmakers have continued their efforts to protect consumers. Earlier this year, the Data Privacy and Protection Act, legislation that would have created the strongest data privacy protections in the nation, died between houses—lawmakers rejected the bill in April to the chagrin of sponsor Rep. Maggie O’Neil.

“Mainers will be left without protections,” O’Neil told the Maine Morning Star. “That’s disappointing because Mainers deserve these and we should have had them a long time ago.”