August 20, 2025 - Alerts and Newsletters

        Maine’s Law Relating to Data Breaches: An Overview

        Like most U.S. states, Maine has a statute that requires investigations and sometimes notice to third parties after data breaches. The statute—the Notice of Risk to Personal Data Act—took effect in 2005. This article summarizes the law.

        Overview and Important Definitions

        Maine’s Notice of Risk to Personal Data Act is codified at §1346 et seq. of Chapter 210-B of Part 3 of Title 10 of the M.R.S. The statute applies to any company or person who maintains various categories of personal information.

        Key defined terms in the Notice of Risk to Personal Data Act include:

        Person means any individual, business entity, and Maine state government agency, among others.

        Unauthorized Person means a person who lacks another person’s permission to access personal information maintained by that other person or who accesses that same personal information by fraud, deception, or similar practices.

        Information Broker means a person whose financially compensated business includes collecting, reporting, and taking other actions about individuals for the main purpose of providing personal information to non-affiliated third parties.

        Personal Information means any of the following, except when redacted or encrypted and with other exceptions:

        • an individual’s first name or first initial and their last name, when kept in combination with other types of identifying information (e.g., social security number, driver’s license number, various types of payment information, and account passwords); or
        • those other types of identifying information when they are stored without name information but still provide enough detail to allow third parties to assume an individual’s identity.

        Security Breach or Breach of the Security of the System means an unauthorized acquisition, release, or use of an individual’s computerized data that includes personal information that compromises the security, confidentiality, or integrity of personal information of the individual that a person maintains. The statute treats certain good-faith disclosures as exempt from the definition of security breach, however.

        Investigations and Notifications After Security Breaches

        Any person who maintains computerized data that includes personal information must conduct a prompt, good-faith, and reasonable investigation when they become aware of a security breach. That investigation must determine the likelihood that personal information has been misused or will be misused. After the initial investigation, the person’s obligations differ depending on whether they are an information broker or any other person:

        • An information broker must notify each Maine resident whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. The broker must also notify the Department of Professional and Financial Regulation.
        • Any other person must notify each Maine resident whose personal information has been misused or whose misuse is reasonably possible, as well as the Maine Attorney General.

        If the person must notify more than one thousand Maine residents at once, then the person must also notify consumer reporting agencies of the incident.

        If law enforcement directs the person to delay further public disclosure of the breach pending its investigation, the person must delay notifying third parties but then begin sending any required notices within seven days after clearance from law enforcement. If law enforcement does not direct the suspension of third-party notices, then the person must give affected Maine residents notice. That notice must be sent  “as expediently as possible and without reasonable delay,” and in any case no more than 30 days after the person’s discovery of the breach.

        A Safe Harbor for Compliance with Other Reporting Laws

        A person is deemed compliant with the notification requirements under the Notice of Risk to Personal Data Act if that person complies with the breach notification requirements imposed by another Maine law or by federal law. This safe harbor only applies, however, if that other law’s notification provisions are at least as protective as those of the Notice of Risk to Personal Data Act.

        Actions by Unauthorized Persons

        The Notice of Risk to Personal Data Act also bars unauthorized persons from using or releasing personal information acquired through a security breach.

        Enforcement and Penalties

        Maine’s Notice of Risk to Personal Data Act does not create a private right of action. The Department of Professional and Financial Regulation enforces the statute with respect to those persons regulated or licensed by that Department. The Maine Attorney General enforces the law in all other cases.

        Violations of the statute are subject to equitable relief and fines of $500 per violation (capped at $2,500 per day containing multiple violations) for most actors. Penalties are cumulative, and do not pre-empt or affect other rights or remedies under federal or state laws.

        For more information about Maine’s privacy and data breach laws, please contact Adam Nyhan.

        Adam Nyhan is a Partner in Verrill’s Intellectual Property practice. He advises software, FinTech, AdTech, and other companies on privacy and Artificial Intelligence issues in compliance, licensing, B2B negotiations, and venture capital and M&A deals.

        Associated People

        Firm Highlights

        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...
        Blog

        Will the Knicks Beat the Spurs? (Are Prediction Market Event Contracts Gambling?)

        For those of you who like to keep score, currently 18 states are engaged in litigation over prediction markets, such as Kalshi and Polymarket,...