Maine Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Maine's Notice of Risk to Personal Data Act (10 MRSA sections 1346 through 1350-B) sets out some of the strictest breach notification timelines in the United States. While many states allow 45 or 60 days to notify affected residents, Maine caps the window at 30 days from the date an organization discovers the breach and determines its scope.

The law applies broadly. Information brokers, private businesses, government agencies, municipalities, school districts, and universities all fall within its reach. Since taking effect on January 31, 2006, the statute has been amended several times, most notably in 2019 when lawmakers added the 30-day hard deadline and expanded coverage to municipalities and school administrative units.

This guide breaks down every requirement under the Act, from who must notify to what penalties apply.

For a broader overview of data protection in the state, see our [Maine Data Privacy Laws](/us-laws/data-privacy-laws/maine-data-privacy-laws) hub.

Who Must Comply

Maine's breach notification law covers two categories of entities, each with slightly different obligations.

Information brokers are persons whose primary business involves collecting and compiling personal information about individuals for the purpose of furnishing that data to unaffiliated third parties in exchange for monetary fees. Government agencies engaged in traffic and law enforcement functions are excluded from this definition.

All other persons who maintain computerized data containing personal information must also comply. The statute defines "person" broadly to include individuals, partnerships, corporations, limited liability companies, trusts, estates, cooperative associations, and other business entities. A 2019 amendment explicitly added governmental entities, municipalities, school administrative units, the University of Maine System, the Maine Community College System, and Maine Maritime Academy to this definition.

When multiple entities are involved in the same breach event, the law does not require duplicative notice from each entity. This prevents affected individuals from receiving redundant notifications arising from a single incident.

What Counts as Personal Information

The Act protects specific combinations of data elements. A breach triggers notification only when an individual's first name or first initial and last name are compromised along with one or more of the following unencrypted or unredacted elements:

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number that can be used without additional authentication
• Account passwords, personal identification numbers (PINs), or other access codes
• Any of the above data elements when the element alone, without the individual's name, would be sufficient to commit identity fraud

The statute explicitly excludes publicly available information from government records and information that is widely distributed by media from the definition of personal information. Third-party claims databases maintained by property and casualty insurance companies are also excluded.

What Is Not Covered

Unlike some states that have expanded their definitions in recent years, Maine's breach notification law does not include biometric data, health or medical information, or email addresses with passwords in the definition of protected personal information. However, health insurance entities that experience breaches are still subject to the notification requirements for any covered data elements they hold.

The Encryption Safe Harbor

Maine provides a clear safe harbor for encrypted data. If the compromised personal information was encrypted using "generally accepted practices," the breach does not trigger notification requirements.

The statute does not define "generally accepted practices" in further detail, leaving organizations to follow current industry standards such as AES-256 encryption. The safe harbor also applies to data that has been redacted, meaning the protected elements have been removed or obscured.

This is a significant protection. Organizations that encrypt personal information at rest and in transit can avoid the entire notification process if the encryption was not also compromised during the breach.

30-Day Notification Timeline

Maine's notification window is among the shortest in the nation. Organizations must provide notice "as expediently as possible and without unreasonable delay" and no later than 30 days after the person becomes aware of the breach and identifies its scope.

This 30-day clock starts running once two conditions are met: the organization knows a breach occurred, and it has determined the scope of the incident. The language "identifies its scope" gives organizations some flexibility to complete an initial investigation before the clock starts. However, organizations cannot use ongoing investigation as a justification for indefinite delay.

Law Enforcement Delay

The one exception to the 30-day deadline involves law enforcement. If a law enforcement agency determines that notification would compromise a criminal investigation, the organization may delay notification. However, this delay cannot exceed 7 business days after law enforcement determines that the notification will no longer interfere with the investigation.

Organizations should obtain written confirmation from law enforcement if they rely on this exception, though the statute does not explicitly require documentation.

Who Must Be Notified

When a breach triggers notification, multiple parties may need to be informed.

Affected Residents

Every Maine resident whose personal information was or is reasonably believed to have been acquired by an unauthorized person must receive notice. The statute draws a distinction between information brokers and other entities:

• Information brokers must notify residents after conducting a reasonable and prompt investigation, regardless of whether actual misuse has occurred.
• Other persons must notify residents when misuse of the personal information has occurred or is "reasonably possible."

State Regulators

Organizations must notify their applicable state regulator. If the entity is regulated by a department within the Maine Department of Professional and Financial Regulation (such as banks, credit unions, or insurance companies), it must notify that department. All other organizations must notify the Maine Attorney General.

The AG's office provides an Electronic Maine Security Breach Reporting Form for submitting notifications.

Consumer Reporting Agencies

If a breach affects more than 1,000 individuals, the organization must also notify nationwide consumer reporting agencies "without unreasonable delay." This notification must include the timing of the breach, the estimated number of affected persons, and the actual or anticipated date of individual notifications.

Third-Party Data Holders

Third-party entities that maintain personal information on behalf of another organization must notify the data owner "immediately" upon discovering a breach. The data owner then bears responsibility for notifying affected individuals and regulators.

Methods of Notification

The statute permits three methods of providing notice to affected individuals.

Written notice is the default and most straightforward method. Organizations mail a letter to the last known address of each affected individual.

Electronic notice is permitted if it complies with the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. section 7001). This generally requires that the recipient has affirmatively consented to receive electronic notices and has not withdrawn that consent.

Substitute notice is available when the organization demonstrates that any one of these conditions is met:

• The cost of providing direct notice would exceed $5,000
• The affected class exceeds 1,000 individuals
• The organization lacks sufficient contact information

Maine's $5,000 cost threshold for substitute notice is the lowest of any state with such a provision. Many states set this threshold at $250,000 or higher. This means smaller organizations that experience a breach affecting even a modest number of people may qualify for substitute notice relatively quickly.

Substitute notice requires all three of the following steps:

1. Email notification to all affected individuals for whom the organization has an email address
2. Conspicuous posting on the organization's website, if one exists
3. Notification to major statewide media outlets

Required Content of Notice

The statute specifies that breach notifications to regulators and consumer reporting agencies must include:

• The date of the breach of security
• An estimate of the number of persons affected, if known
• The actual or anticipated date that individuals were or will be notified

The law does not prescribe the exact content that must appear in notices to affected individuals, but standard practice and Attorney General expectations typically include a description of the incident, the types of information involved, steps the individual can take to protect themselves, and contact information for the notifying organization.

Enforcement and Penalties

Maine divides enforcement authority between two bodies depending on the type of entity involved.

The Department of Professional and Financial Regulation enforces the law against entities it regulates, including banks, insurance companies, and other licensed financial entities.

The Attorney General enforces the law against all other persons.

Civil Penalties

Violators face a civil fine of up to $500 per violation, with a maximum of $2,500 for each day the organization remains in noncompliance. These amounts are relatively modest compared to states like California or New York, which can impose significantly larger penalties.

Government Entity Exemption

State government, municipalities, school administrative units, the University of Maine System, the Maine Community College System, and Maine Maritime Academy are exempt from financial penalties. They remain subject to the notification requirements but face no monetary fines for violations.

Equitable Relief

Beyond monetary penalties, enforcement agencies can seek equitable relief including injunctions to prevent further violations. These remedies are cumulative with any other legal remedies available under state and federal law.

No Private Right of Action

Maine's breach notification law does not create an explicit private right of action. Individuals cannot sue directly under this statute for a breach of their personal information. However, affected individuals may have other legal avenues, such as claims under the Maine Unfair Trade Practices Act (5 MRSA section 207) or common law negligence theories.

Federal Preemption Safe Harbor

Entities that are already subject to and comply with federal or state security breach notification requirements that are "at least as protective" as the requirements under section 1348 are deemed in compliance with the Maine law. This safe harbor benefits organizations subject to regulations like HIPAA, the Gramm-Leach-Bliley Act, or other sector-specific federal rules.

Section 1347-A: Prohibition on Unauthorized Use

Beyond notification requirements, the Act includes a separate prohibition under section 1347-A. This provision makes it a violation for any unauthorized person to release or use an individual's personal information that was acquired through a security breach.

This section targets the bad actors who exploit stolen data, not just the organizations that fail to secure it.

Interaction with the Maine Online Data Privacy Act (LD 1822)

As of March 2026, the Maine Online Data Privacy Act (LD 1822) has passed both chambers of the Maine Legislature but has not been signed into law. If enacted, it would take effect on July 1, 2026.

LD 1822 would create a comprehensive data privacy framework separate from the breach notification statute. The two laws address different aspects of data protection:

• The Notice of Risk to Personal Data Act governs what happens after a breach occurs: notification timelines, required recipients, and penalties for noncompliance.
• LD 1822 would govern how organizations collect, use, process, and share personal data before any breach happens, including data minimization requirements and consumer rights to access, correct, and delete their data.

The comprehensive privacy act would be enforced by the Attorney General under the Unfair Trade Practices Act, with penalties of up to $10,000 per intentional violation. It would not create a private right of action.

Organizations operating in Maine should monitor both laws, as compliance with breach notification requirements alone would not satisfy the broader data handling obligations LD 1822 would impose.

Comparison with ISP Privacy Law

Maine also has a separate broadband ISP privacy law (Title 35-A, section 9301), enacted in 2019 through LD 946. This law prohibits internet service providers from using, selling, or distributing customer personal information without express opt-in consent.

The ISP privacy law is distinct from the breach notification statute. It regulates ongoing data practices by broadband providers rather than post-breach obligations. An ISP that experiences a data breach would still need to comply with the Notice of Risk to Personal Data Act in addition to its obligations under Title 35-A.

Practical Steps for Compliance

Organizations that maintain personal information of Maine residents should take these actions to prepare for potential breaches:

Develop an incident response plan that accounts for Maine's 30-day notification deadline. Given the short window, organizations cannot afford to create a response protocol after a breach is discovered.

Know your regulator. Determine in advance whether your organization reports to the Department of Professional and Financial Regulation or the Attorney General. Having the correct reporting form ready saves critical time.

Encrypt personal information using generally accepted practices. This is the single most effective step an organization can take, because properly encrypted data that is breached does not trigger notification at all.

Maintain current contact information for customers and employees whose personal information you hold. Organizations that lack sufficient contact information for direct notice must use the substitute notice process, which involves media notifications and is more public.

Document your investigation timeline. Because the 30-day clock starts when the organization becomes aware of the breach and identifies its scope, maintaining clear records of when discovery occurred and when the investigation concluded is essential for demonstrating compliance.

More Maine Laws

• Maine Data Privacy Laws
• Maine Recording Laws
• Maine Whistleblower Laws
• Maine Sexting Laws
• Maine Lemon Laws
• Maine Data Privacy Laws

This article is for informational purposes only and does not constitute legal advice. Data breach notification requirements can change as legislatures amend existing statutes or courts issue new rulings. Consult a qualified attorney licensed in Maine for guidance specific to your situation.