Shostack + Friends Blog Archive


Remembering the Maine

From Maine’s Public Law, Chapter 583, passed April 2006:

Sec. 9. 10 MRSA §1348, sub-§5, as enacted by PL 2005, c. 379, §1 and affected by §4, is amended to read:
5 . Notification to state regulators. When notice of a breach of the security of the system is required under subsection 1, the information brokerperson shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the information brokerperson is not regulated by the department, the Attorney General.

Maine now joins an exclusive club. Now all breaches, not just those of information brokers, must be reported to the AG’s office. Only New York has a similar law. The duty to notify applies to every “person”, now defined as:

an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities.

The emphasized portion is new law. Government agencies, colleges, and Universities just had new responsibilities placed on them. Among reported breaches, these are the most often seen types of institutions. Coincidence?
Update 7/18/2006: North Carolina’s law does the right thing, too.