Recent media attention has highlighted a disturbing trend: information security breaches are on the rise. These breaches can cost a business a lot of time and money. They can also result in a loss of customer trust and brand reputation – valuable commodities that are easier to lose than to earn back. While most businesses try to mitigate the risk of a security breach, many may not be aware of their requirements under Maine law in the event that a breach occurs. Read on after the jump for more information.
Under Maine’s Notice of Risk to Personal Data Act (“Data Act”), every individual or entity that keeps unencrypted “personal information” in its computer systems has certain obligations. “Personal information” means any individual’s first and last name, together with another piece of personally identifiable information such as a social security number, driver’s license number, credit card number, PIN, or password.
An entity must do several things if it learns that a breach has occurred:
- Promptly investigate the breach;
- Notify any Maine resident whose personal information was breached if misuse has occurred or is reasonably likely to occur; and
- If the breached organization maintains information for another entity, notify that entity.
Failure to issue notice quickly enough can result in fines. Further, in addition to these notice and investigation requirements, an organization that experiences a breach may be sued by those affected for negligence or breach of contract.
There are steps an organization can take to avoid these consequences. All organizations should enact some form of information security system. Stored and transmitted personal information should be encrypted: the Data Act only applies to unencrypted “personal information,” and encrypted data is much harder to misuse.
These steps will help businesses rest easier, knowing their customer information and brand reputation are secure. For more information, contact the attorneys at Tucker Law Group.