Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Maine - Sectoral Privacy Overview
Back

Maine - Sectoral Privacy Overview

July 2024

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

The Constitution of the State of Maine (Constitution) does not establish a general privacy right. Section 5 of the Constitution, generally mirroring the Fourth Amendment to the Constitution of the United States (U.S. Constitution), provides that '[t]he people shall be secure in their persons, houses, papers, and possessions from all unreasonable searches and seizures; and no warrant to search any place, or seize any person or thing, shall issue without a special designation of the place to be searched, and the person or thing to be seized, nor without probable cause -- supported by oath or affirmation.'

Section 5 of the Constitution is coextensive with the Fourth Amendment to the U.S. Constitution, providing no greater privacy rights to citizens1.

2. KEY PRIVACY LAWS

Maine has four privacy torts as well as several privacy-related criminal and civil statutes.

2.1. Common-law Privacy Torts: Overview

Maine recognizes a common-law right to privacy. Violations of this right give rise to the four traditional torts of intrusion on the plaintiff's physical and mental solitude or seclusion, public disclosure of private facts, publicity placing the plaintiff in a false light in the public eye, and appropriation of another's likeness2.

A plaintiff in a privacy tort action need not plead or prove special damages. Punitive damages may be appropriate in cases of a wrongful motive or state of mind, but not where a good-faith defendant simply makes a mistake3.

The torts of intrusion, false light, and public disclosure may be maintained only by a living individual whose privacy is invaded4. An appropriation claim, unlike the other three privacy tort claims, may be maintained by a third party such as a parent of an infant plaintiff5.

2.2. False Light

The false-light tort consists of giving publicity to a matter concerning another that places the other before the public in a false light, where the false light would be highly offensive to a reasonable person and the defendant knows of or acts in reckless disregard to the falsity of the publicized matter and the false light in which the other will be placed6.

A 2024 case, Garey v. Stanford Management, explores the 'highly offensive' element. The defendant, a property management company, terminated its employee, the plaintiff7.  The defendant then provided multiple communications to residents of an apartment building where the plaintiff had previously worked for the defendant. Together, those communications implied that the plaintiff posed a threat to the safety of the building residents. The court held that the plaintiff plausibly alleged that the defendant had falsely portrayed her as dangerous, which sufficiently stated a false light claim.

The 'publicity' required for a false-light claim is more than the type of 'publication' that states a defamation claim. While the latter can apply even to a communication to a single third party, the false-light tort requires disclosure "to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge8." Communication to 'a single person or a small subset of people is insufficient' for a false-light claim9. Thus disclosure to a group of six email addresses was insufficient in one case9, while in another (Garey, supra), disclosure to the tenants of an apartment building sufficed10

2.3. Intrusion

A claim for intrusion upon the seclusion of another requires that a defendant intentionally intrude upon the solitude or seclusion of another in his private affairs if the intrusion would be highly offensive to a reasonable person11.

The defendant's intrusion must be intentional. In Lougee Conservancy, a bank in the course of foreclosure proceedings mistakenly entered and photographed the wrong property. The court held that the tort claim failed because while the defendants intended to enter some property, their good-faith error as to the identity of the property's owners did not satisfy the 'intentionality' element13.

The intrusion tort may apply even where the space intruded upon is not owned by the plaintiff. Thus, Maine courts have sustained the claim in cases where plaintiffs were photographed in their hospital rooms14.

To sustain an intrusion claim, courts generally require that the defendant physically enter the premises in question. In the leading case, Nelson v. Maine Times, 373 A.2d 1221 (Me. 1977), the defendant newspaper published a photograph of an infant plaintiff in a pastoral setting. The court upheld the trial court's dismissal of the intrusion allegations for failure to state a claim because the plaintiffs alleged no physical intrusion onto the infant plaintiff's 'solitude or seclusion.' The court distinguished its own earlier holding in Berthiaume's Estate, supra, where the defendant physician physically entered the room of a dying man to take and later publish photographs of his medical condition. The mere taking of a photograph without a physical intrusion, the Nelson court held, would not state a claim for the intrusion tort15.

Courts since Nelson have generally not allowed intrusion claims absent allegations of physical intrusion on property. See., e.g., Davis v. Theriault, 2023 WL 5628193 (D. Maine Aug. 31, 2023), at *67 (dismissing intrusion claim alleging that defendant contacted a person only through Facebook; although 'Nelson suggests that intrusion can occur by non-physical means, more recent… cases have required a 'physical' intrusion,' and 'It is doubtful whether contacting an individual by Facebook constitutes the required physical intrusion.') (internal citations omitted).

At least one court, however, has allowed an intrusion claim where the defendant’s intrusion was electronic. In Thayer v. Reed, 2011 WL 2682723 (D. Maine July 11, 2011), the defendant was a former executive of the plaintiff company. The defendant surreptitiously read emails between the plaintiff's legal counsel and another employee. The court noted commentary to the Restatement (Second) of Torts, which detail scenarios in which accessing a person's mail and tapping their telephone can support the intrusion claim. Based on that commentary, the court held that the alleged 'misappropriation of private emails' stated an intrusion claim16.

2.4. Publicity

The tort of public disclosure of private facts is also stated as 'publicity given to private life.' It consists of giving publicity to a matter about another person's private life where the matter publicized is of a kind that would be highly offensive to a reasonable person and is not of legitimate concern to the public17. A mere exposure of a person to undesired publicity, even where the exposure is unauthorized, does not suffice. In Nelson, therefore, where the published photograph disclosed no more about the infant plaintiff where the public could learn by glimpsing his face in person, the claim failed18.

The publicity must pertain to the plaintiff's private life and not her public life19. Publicity relating to an individual's role as an officer of a teachers' union, for example, does not qualify20.

A claim for public disclosure of private facts, like a false-light claim, requires a defendant's communication with more than one third party21

2.5. Appropriation

The appropriation tort requires that22:

  • a defendant appropriates the name or likeness of another person;
  • for the defendant's benefit or use;
  • the commercial or other value associated with the other person's name or likeness where; and
  • a reasonable person could anticipate that the appropriation could cause mental distress and injury to another person who was possessed of ordinary feelings and intelligence.

Merely bringing a person's name or appearance before the public is too incidental to support this tort23.

In Nelson, where the infant plaintiff alleged that the defendant published his photograph but alleged no other benefit to the defendant, the claim failed24.

The benefit to the defendant need not be commercial in nature. In one case, the mere fact that a defendant maliciously sought to ridicule the plaintiff sufficed25.

2.6. Violation of Privacy and Interception of Communications; One-Party Consent to Recordings

Multiple Maine statutes address the disclosure of private events to third parties.

Violation of Privacy

The Violation of Privacy statute, codified under §511 of Chapter 21 of Part 2 of Title 17-A of the Maine Revised Statutes (M.R.S.), bars private actors from intentionally:

  • trespassing on the property to overhear or observe people in private places (17-A M.R.S. §511(1)(A));
  • installing and using devices inside private places to observe or record private sounds or events there (17-A M.R.S. §511(1)(B));
  • installing and using devices outside private places that can detect sounds from within that would not ordinarily be detectable from outside, provided the people in those private places are entitled to privacy (17-A M.R.S. §511(1)(C)); and
  • using in public places electronic equipment to see through people's clothing (17-A M.R.S. §511(1)(D)).

An affirmative defense is available to 17-A M.R.S. §511(1)(D) where the surveilled person is at least 14 years old and consented to the surveillance.

In 17-A M.R.S. §511, 'private place' means one where a person may reasonably expect to be safe from surveillance, such as dressing rooms and bathrooms (17-A M.R.S. §511(2)). A 'private place' within the statute's meaning does not include a closed room where a person engages in the services of a prostitute. While that person may subjectively expect privacy, that expectation is not 'reasonable,' and recording the activity, therefore, does not violate 17-A M.R.S. §511(1)(B)26. In Strong, the court expressly declined, however, to declare that a privacy violation can never be found where the person otherwise entitled to privacy engages in criminal activity27.

A violation of 17-A M.R.S. §511 is a Class D crime, subject to less than one year of imprisonment or a $2,000 fine (17-A M.R.S. §§1604 and 1704). If the perpetrator violates the privacy of a person less than sixteen years old for the purpose of sexual gratification (of the violator or of a third party), then the perpetrator must also register as a sex offender. 17-A M.R.S. §511(1)(F)); 34-A M.R.S. §14(C-1).

Revenge Porn

Another criminal statute, the so-called 'Revenge Porn Act,' bars the unauthorized dissemination of videos and other recordings of identifiable people who are nude or engaged in sexual activities (17-A M.R.S. §511-A). Violation of section 511-A is also a Class D crime, subject to less than one year of imprisonment or a $2,000 fine (17-A M.R.S. §§1604 and 1704).

Interception of Wire and Oral Communications

A third statute, titled 'Interception of Wire and Oral Communications' (Chapter 102 of Part 2 of Title 15 of the M.R.S.) carries both criminal penalties and a private right of action for victims. Key defined terms in 15 M.R.S. Chapter 102 include:

Interception: hearing, recording, or aiding another in hearing or recording the contents of a wire or oral communication through the use of an intercepting device (15 M.R.S. §709(4)). Interception does not include the specified conduct when done by the sender or receiver of the communication. (That is, Maine is a 'one-party consent' state requiring the consent of only one party to a communication in order to record it). Nor does interception include the specified conduct when done by a person within range of normal, unaided hearing, or of subnormal hearing corrected to not better than normal hearing.

Finally, no 'interception' occurs when a person with prior authority of either the sender or receiver engages in the specified conduct (15 M.R.S. §709(4)). One application of this rule is in parental disputes over child custody. Where a parent has a good-faith, objectively reasonable belief that it is necessary and in the child's interests to do so, the parent may authorize themselves (on behalf of that child) to make recordings of the child's phone calls with a third party. Griffin v. Griffin, 2014 ME 70, ¶¶ 26-29, 92 A.3d 1144, 1152-1153. This rule follows from a parent's 'fundamental liberty interest' to direct their children's care and their 'duty to protect their children.' Id. 2014 ME at ¶ 26, 92 A.3d at 1152.

Intercepting device: any device or apparatus that can be used to intercept a wire or oral communication, with some exceptions (e.g., hearing aids, telephones) (15 M.R.S. §709(3)).

Chapter 102 generally bars the following actions by private actors:

  • intercepting, attempting to intercept, or procuring another person to intercept or attempt to intercept a wire or oral communication (15 M.R.S. §710(1));
  • disclosing or attempting to disclose the contents of a wire or oral communication to any person, or otherwise using or attempting to use the contents of that communication, knowing that the information was obtained by interception (15 M.R.S. §710(3));
  • possessing any device designed or commonly used for intercepting wire or oral communications (15 M.R.S. §710(5)); and
  • selling, exchanging, delivering, giving, or furnishing any device designed or commonly used for intercepting wire or oral communications, or possessing such a device with the intention of selling it (15 M.R.S. §710(6)).

Criminal penalties and scienter

Violations of §15 M.R.S. §§710(1) (interception, attempt, procurement) and 710(2) (disclosure or use) must be knowing or intentional. The degree of culpability required to violate section 710 is consistent with the culpability required by the Maine statute's federal analogs.

A violation of 15 M.R.S. §710(5) (possession) is a strict liability offense, requiring no scienter. All of the above are Class C crimes, subject to maximum sentences of five years in prison or a $5,000 fine (17-A M.R.S. §§1604 and 1704).

Violations of 15 M.R.S. §710(6) (selling and related offenses) require no scienter except for the offense of possession with the intention to sell. 15 M.R.S. §710(6) offenses are Class B crimes, subject to maximum sentences of ten years in prison or a $20,000 fine (17-A M.R.S. §§1604 and 1704). These offenses are the only Class B crimes described in this article, making them the subject of the heaviest criminal penalties among the Maine laws described herein.

Civil liability

Any party to a conversation that was intercepted, disclosed, or used in violation of Chapter 102 has a private cause of action against any person who intercepts, discloses, or uses the communication. 15 M.R.S. §711. Remedies include actual damages (no less than a statutory liquidated damage amount of $100 for each day of violation) as well as attorneys' fees and litigation costs.

2.7. Criminal Invasion of Computer Privacy

17-A M.R.S. §§432 and 433 concern unauthorized access to computers and related systems.

Key definitions

Key defined terms in 17-A M.R.S. §§431 and 433 include:

Access: To gain logical entry into, instruct, communicate with, store data in, or retrieve data from a computer resource (17-A M.R.S. §431(1)).

Not authorized and unauthorized: Lacking consent or permission of the owner, or of a person licensed or authorized by the owner to grant consent or permission, to access or use a computer resource, or accessing or using that computer resources in a manner that exceeds the granted consent or permission (17-A M.R.S. §431(11)).

Computer: An electronic, magnetic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions. The term includes any data storage device or communications facility directly related to or operating in conjunction with the device (17-A M.R.S. §431(2)).

Computer resource: Under 17-A M.R.S. §431(8), any one or combination of the following:

  • Computer information: A representation of information, knowledge, facts, concepts, or instructions that are confidential or proprietary, are being prepared or have been prepared from an organized set of data, and are located in computer memory or on magnetic, optical, or mechanical media transferable directly to or useable directly by a computer as a source of data or instructions (17-A M.R.S. §431(3));
  • Computer software: A set of computer programs, procedures, and associated documentation used in the operation of a computer system (17-A M.R.S. §431(6));
  • Computer program: An ordered set of data representing coded instructions or statements that, when executed by a computer, cause the computer to process data (17-A M.R.S. §431(5));
  • Computer system: Any combination of a computer or computers with the documentation, computer software, or physical facilities supporting the computer (17-A M.R.S. §431(7)); or
  • Computer network: A combination of one or more computers and communication facilities with the capability to transmit information among the devices or computers (17-A M.R.S. §431(4)).

Criminal offences

A person is guilty of criminal invasion of computer privacy if they intentionally access a computer resource knowing that they are not authorized to do so (17-A M.R.S. §432).

A person commits aggravated criminal invasion of computer privacy if they (17-A M.R.S. §433):

  • intentionally make an unauthorized copy of any computer program, computer software, or computer information, knowing that they are not authorized to do so;
  • intentionally or knowingly damage a computer resource of another person, without a reasonable ground to believe that they have the right to do so; or
  • intentionally or knowingly introduce or allow the introduction of a computer virus into a computer resource, without a reasonable ground to believe that they have the right to do so.

Penalties

Violations of 17-A M.R.S. §432 are Class D crimes, subject to maximum sentences of less than one year in prison or a $2,000 fine (17-A M.R.S. §§1604 and 1704).

Violations of 17-A M.R.S. §433 are Class C crimes, subject to maximum sentences of five years in prison or a $5,000 fine (17-A M.R.S. §§1604 and 1704).

2.8. Identity Theft

17-A M.R.S. §905-A concerns identity theft and the misuse of identification. A person may not, with intent to obtain confidential information, property, or services, use a stolen or forged payment card, use another person's account or billing information without authorization, or use the other person's legal identification without authorization. Good-faith belief that the use was authorized is an affirmative defense.

A person who knows or reasonably believes that their personal information has been misused in violation of 17-A M.R.S. §905-A is entitled to a mandatory police report of the matter (§1350-B of Chapter 210-B of Title 10 of the M.R.S.). If the suspected crime occurred outside of Maine, Maine police must refer their reports to local law enforcement in the relevant jurisdiction (10 M.R.S. §1350-B). After making their initial mandatory report, Maine police have the discretion to investigate matters further (10 M.R.S. §1350-B).

Violations of 17-A M.R.S. §905-A are Class D crimes, subject to less than one year of imprisonment or a $2,000.00 fine (17-A M.R.S. §§1604 and 1704).

2.9. Genetic Testing

Maine courts may order a child or other designated individual (e.g. an alleged parent) to submit to genetic testing upon the sworn statement of a person providing a reasonable and good-faith basis for alleging genetic parentage (§1911 of Subchapter 6 of Chapter 61 of Title 19-A of the M.R.S.). A person contesting such an order has multiple equitable bases upon which a court may deny it (19-A M.R.S §1912). A report resulting from genetic testing generally may not be intentionally published outside the relevant court proceeding (19-A M.R.S §1910).

Violations of 19-A M.R.S. §1910 are Class E crimes, subject to up to six months of imprisonment or a $1,000.00 fine (17-A M.R.S. §§1604 and 1704).

2.10. Social Security Numbers

A business operating in Maine may not display a social security number on a credit card, customer service card, or debit card issued or distributed by that business on or after January 1, 1994. Social security numbers may be used as identification for various types of insurance, provided that companies issuing these cards must offer alternative identifying numbers on an individual's written request (§1272 of Chapter 208-A of Part 3 Title 10 of the M.R.S.).

The Director of the Bureau of Consumer Credit Protection (BCCR) enforces 10 M.R.S. §1272 and may assess civil penalties of up to $1,000 for its violation (10 M.R.S. §1273).

3. HEALTH DATA

Two Maine statutes address the privacy of health-related information. Both predate the 2003 effective date of the Health Insurance Portability and Accountability Act of 1996 Privacy Rule that implements the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (§§1320d to 1320d–9 of Part C of Subchapter XI of Chapter 7 of Title 42 of the U.S. Code).

3.1. Mental Health Records

A statute enacted in 1983, §1207 of Subchapter 2 of Chapter 1 of Title 34-B of the M.R.S., deals with the health records of clients. A 'client' is a person receiving services from the Maine Department of Health and Human Services (DHHS), from any Maine state mental health institution, or from any mental health agency licensed or funded to provide services within the DHHS's jurisdiction (34-B M.R.S. §1207(1); see also 34-B M.R.S. §§1001(2) and 1203-A).

General rule against unauthorized disclosure

34-B M.R.S. §1207(1) protects '[a]ll orders of commitment, medical and administrative records, applications and reports, and facts contained in them, pertaining to any client […].' The protected materials must be kept confidential, and no person may disclose them except as the statute provides.

Permissible disclosures

The statute expressly authorizes disclosures:

  • pursuant to an informed written consent made by the client or their legal guardian (or the parent or legal guardian of a minor client) (34-B M.R.S. §1207(1)(A));
  • if necessary to carry out the mandated functions of the DHHS or to comply with certain laws (34-B M.R.S. §1207(1)(B));
  • if ordered by a court (34-B M.R.S. §1207(1)(C));
  • after deaths that the Chief Medical Examiner is required to report to the Legislature (34-B M.R.S. §1207(1)(C-1));
  • of names and dates of death of individuals who died at several former State-run mental health institutions (34-B M.R.S. §1207(1)(H); or
  • by licensed mental health care professionals in some cases to family members and caretakers of adult clients (34-B M.R.S. §1207(5-A).

The statute does not independently authorize, but makes clear that it does not preclude disclosures:

  • about mental status or physical condition to a client's spouse or next of kin (34-B M.R.S. §1207(1)(D));
  • to insurers and other actors involved in payments for client care (34-B M.R.S. §1207(1)(E));
  • in connection with educational and training programs, provided that client identities are shielded (34-B M.R.S. §1207(1)(F)); and
  • of information (except psychotherapy notes) to state-designated health information exchanges (34-B M.R.S. §1207(1)(I)).

The statute requires disclosure by licensed mental health professionals:

  • where the professional believes disclosure is necessary to avert a serious and imminent threat to health or safety, where the disclosure is made to any person (not limited to a target of a client's threat) who is reasonably able to prevent or minimize the threat (34-B M.R.S. §1207(6-A));
  • in good faith to law enforcement officers for law enforcement purposes, provided the conditions of the parallel federal HIPAA Privacy Rule (45 C.F.R. §165.512(f)) are met (34-B M.R.S. §1207(7)); and
  • in good faith to law enforcement of the fact that a client admitted to a state mental health institute has access to firearms (34-B M.R.S. §1207(8)).

Additional provisions

34-B M.R.S. §1207 establishes restrictions that govern the DHHS Commissioner's use of client information for research, planning, and administration and the use of client information by other persons for research (34-B M.R.S. §1207(2) and (3)).

Reportable violations

A disclosure of client information in violation of 34-B M.R.S. §1207 by a mental health professional is an offense under that professional's licensing standards and must be reported to the relevant licensing board (34-B M.R.S. §1207(4-A)).

3.2. Confidentiality of Healthcare Information Generally

Maine's more recent and comprehensive health care privacy law (compared to 34-B M.R.S. §1207) is §1711-C of Chapter 401 of Part 4 of Subtitle 2 of Title 22 of the M.R.S., enacted in 1997.

Key definitions

Key defined terms in 22 M.R.S. §1711-C include:

Health care information: Information that directly identifies an individual and relates to that individual's physical, mental, or behavioral condition, personal or family medical history or medical treatment, or the health care provided to that individual. The term does not include information that protects the individual's anonymity, e.g. by encryption.

Nor does it include information (22 M.R.S. §1711-C(1)(E)):

  • derived from or pertaining to certain federally sponsored, authorized, or regulated research, to the extent that information is used in a manner that protects the identification of individuals; or
  • created or received by a member of the clergy or other person using spiritual means alone for healing as Maine law allows.

Health care: Preventative, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, services, treatment, procedures, or counseling, including appropriate assistance with disease or symptom management and maintenance, that affects an individual's physical, mental or behavioral condition, including individual cells or their components or genetic information, or the structure or function of the human body or any part of it. Health care includes prescribing, dispensing, or furnishing to individual drugs, biologicals, medical devices, or health care equipment and supplies; providing hospice services to an individual; and the banking of blood, sperm, organs, or any other tissue (22 M.R.S. §1711-C(1)(C)).

Health care practitioner: The individual person licensed by the state of Maine to provide health care, the entity through which such individuals practice, or that entity's employees and agents acting in the course and scope of their employment (22 M.R.S. §1711-C(1)(F)).

Health care facility or facility: Certain entities other than practitioners, such as pharmacies and hospice programs (22 M.R.S. §1711-C(1)(D)).

Individual: The natural person who is the subject of the health care information at issue. In the context of disclosure of health care information, 'individual' includes the individual's authorized representative (22 M.R.S. §1711-C(1)(G)).

Authorized representative: An individual's legal guardian or several other categories of authorized persons. In the case of a minor who has not consented to health care treatment, it includes the minor's parent, legal guardian, or guardian ad litem (22 M.R.S. §1711-C(1)(A)).

General rule against unauthorized disclosure

An individual's health care information is confidential and may not be disclosed to any person other than that individual, except as the statute provides. These restrictions apply notwithstanding ethical and professional standards that otherwise allow or require practitioners or facilities to disclose health care information (22 M.R.S. §1711-C(2)).

Disclosure with authorization

Health care information may be disclosed with the individual's written authorization, with their oral authorization when written consent is not practical, or by selecting close relatives and friends when the individual is unable to authorize. 22 M.R.S. §1711-C(3), (3-A), (3-B). This authorization may not last more than 30 months, may generally be revoked at any time, and may limit the types of information to which it applies (22 M.R.S. §1711-C(3), (4), (5)).

Disclosure without authorization

In some cases, healthcare practitioners and facilities may disclose healthcare information without authorization from the individual (22 M.R.S. §1711-C(6)). These are cases of disclosures:

  • to the individual's family or household members, except where the individual has expressly prohibited that disclosure (22 M.R.S. §1711-C(6)(C)).
  • to another health care practitioner or facility for diagnosis, treatment, or care of the individual, or to complete the responsibilities of the practitioner or facility that provided diagnosis, treatment, or care (22 M.R.S. §1711-C(6)(A)). Specific disclosure rules apply depending on whether the disclosure under this sub-section (A) is made within a facility or to another facility.
  • to a practitioner's or facility's employee, agent, independent contractor, or successor in interest (22 M.R.S. §1711-C(6)(B)). This sub-section (B) includes state-designated information exchanges that make health care information available to practitioners and facilities as well as select other organizations.
  • to government entities to protect the public health and welfare in certain cases, including mandatory-reporting scenarios, disclosure involving suspected criminal activity, and other circumstances (22 M.R.S. §1711-C(6)(E) and (E-1)).
  • to 'appropriate persons' where the practitioner or facility providing care believes in good faith that disclosure is made to avert a serious threat to health or safety, subject to additional restrictions (22 M.R.S. §1711-C(6)(D)).
  • to government entities in cases where practitioners or facilities are bound by Maine law to cooperate in good faith with law enforcement (22 M.R.S. §1711-C(E-2)).
  • where Maine statutes or court orders require (22 M.R.S. §1711-C(F-1)).
  • to government entities that have served subpoenas for and are entitled to receive the information (22 M.R.S. §1711-C(F-2)).
  • in encrypted form to the Maine Health Data Organization, a state clearinghouse (22 M.R.S. §1711-C(F-3)).
  • in certain research and clinical-trial cases (22 M.R.S. §1711-C(6)(G)).
  • in certain activities involving investigation, review, and assessment of practitioners and facilities (22 M.R.S. §1711-C(6)(H), (J), (U)).
  • to licensure, accreditation, and similar entities (22 M.R.S. §1711-C(6)(I)).
  • to attorneys and others in legal proceedings (22 M.R.S. §1711-C(6)(K)).
  • to certain persons involved in payment activities (22 M.R.S. §1711-C(6)(L)).
  • regarding an individual's immunization history to schools, correctional facilities, and similar organizations (22 M.R.S. §1711-C(6)(M)).
  • to third parties as part of scheduling appointments or tests for the individual (22 M.R.S. §1711-C(6)(N)).
  • of brief confirmation of general health status to emergency services, correctional facilities, and similar organizations (22 M.R.S. §1711-C(6)(P)).
  • of brief confirmation of general health status to members of the media who ask about an individual by name, except where the individual has expressly prohibited such disclosure (22 M.R.S. §1711-C(6)(R)).
  • of brief confirmation of general health status and of the individual's room number to members of the public who ask about an individual by name, except where the individual has expressly prohibited such disclosure (22 M.R.S. §1711-C(6)(S)).
  • to confirm to members of the clergy that the individual is present in the facility, including the person's room number and religious affiliation (22 M.R.S. §1711-C(6)(Q)).
  • to a lay caregiver (22 M.R.S. §1711-C(6)(T)).

Confidentiality policies and procedures

Practitioners, facilities, and state information exchanges must develop and implement policies and procedures to protect against disclosures contrary to 22 M.R.S. §1711-C. These must include procedures for giving patients notice of their rights at the point of admission (22 M.R.S. §1711-C(7)).

Disclosures prohibited for marketing and sales purposes

Practitioners, facilities, and state information exchanges must not disclose health care information for purposes of marketing or sales without oral or written authorization (22 M.R.S. §1711-C(8)).

Additional provisions

Persons with rights under 22 M.R.S. §1711-C may not waive them (22 M.R.S. §1711-C(14)). A person making a disclosure permitted by 22 M.R.S. §1711-C is immune from civil action for defamation, negligence, or invasion of privacy (22 M.R.S. §1711-C(15)).

Enforcement

If the Maine Attorney General (AG) suspects intentional violations of 22 M.R.S. §1711-C, they may seek injunctive relief to prevent disclosures in violation of it (22 M.R.S. §1711-C(13)(A)).

In cases of intentional disclosures in violation of 22 M.R.S. §1711-C, an aggrieved individual may bring a civil action against the disclosing person for civil penalties as well as costs and injunctive relief (22 M.R.S. §1711-C(13)(B) and (C)). Courts may assess civil penalties up to $5,000 per disclosure. If a court finds that intentional violations after notice of the violating conduct amount to a general business practice, penalties may be as much as $10,000 for a practitioner and $50,000 for a facility. All such penalties are payable to the State of Maine.

Actions under 22 M.R.S. §1711-C must be brought within two years from the date of a disclosure in violation of the section or from the date that the disclosure should reasonably have been discovered (22 M.R.S. §1711-C(13)).

While 22 M.R.S. §1711-C does not create a private action for damages, it also expressly does not prohibit a plaintiff from seeking damages or any other remedy that may be appropriate in negligence or another common-law claim (22 M.R.S. §1711-C(13)(D)).

3.3. Other Maine Health-related Privacy Laws

In addition to the comprehensive statutes described above (34-B M.R.S. §1207 and 22 M.R.S. §1711-C), Maine has the following laws:

3.4. HIPAA's Relevance to Private Actions

HIPAA does not create a private cause of action under Maine law28. HIPAA's regulations and standards may, however, be admissible to establish the standard of care associated with a Maine tort claim under some other source of law29.

4. FINANCIAL DATA

4.1. Financial Institutions and Credit Unions

Application of Gramm-Leach-Bliley Act; Remedies Under Other Statutes

Maine by statute requires financial institutions and credit unions to comply with the federal Gramm-Leach-Bliley Act of 1999 (GLBA). 9-B M.R.S. §241(13). A violation by a financial institution or credit union of GLBA is an anticompetitive or deceptive practice for purposes of Chapter 24 and subject to remedies provided by that chapter or otherwise provided by law. Remedies applicable under Chapter 24 include the power of the Superintendent of Financial Institutions to bring actions to enjoin violations and the courts' power to order injunctive relief and other appropriate remedies (including the award of investigative costs and litigation costs to the State of Maine, where its actions yield permanent injunctions). 9-B M.R.S. §241(1), (13).

Chapter 24 deals with anticompetitive and deceptive conduct specifically by financial institutions and credit unions. It is distinct from Maine’s general Unfair Trade Practices Act (UTPA), 5 M.R.S. 205-A et seq. Violations of Chapter 24 are not necessarily violations of Maine's UTPA, and the UPTA exempts financial institutions and credit unions from its application.

§162 of Chapter 16 of Title 9-B of the M.R.S. supplements the privacy provisions of the federal Gramm-Leach-Bliley Act of 1999 (GLBA). 9-B M.R.S. §162 generally bars banks, credit unions, and certain other financial services organizations doing business in Maine from disclosing customer financial records to any person except the customer. The statute expressly authorizes disclosures (9-B M.R.S. §162):

  • authorized by the customer;
  • in response to the legal process;
  • to state health regulators in matters of child support and suspected abuse of vulnerable adults;
  • to state labor regulators in levy matters;
  • to state revenue authorities in tax debt matters; and
  • to the BCCR in connection with a notice of a mortgagor's right to cure.

'Financial records' are those pertaining to a customer's relationship with the financial institution or credit union as well as information derived from those records (9-B M.R.S.A. §161).

Enforcement

The Superintendent of Financial Institutions may assess civil penalties for violations of 9-B M.R.S. §162 in amounts up to $10,000 for financial institutions and credit unions and $5,000 for their officers and employees. Third parties inducing or attempting to induce violations may also be liable for civil penalties up to $10,000 (9-B M.R.S. §164).

4.2. Extension of GLBA to Select Actors

Maine law, under Title 9-A of the M.R.S., Title 30-A of the M.R.S., Title 32 of the M.R.S., and Title 33 of the M.R.S., requires several categories of actors to comply with the GLBA. These include:

  • creditors in certain consumer credit transactions (9-A M.R.S. §3-314 and 9-A M.R.S. §9-310);
  • loan brokers (9-A M.R.S. §10-306);
  • merchants that enter into rental-purchase agreements with consumers (9-A M.R.S. §11-122);
  • pawnbrokers (30-A M.R.S. §3964-A);
  • check cashing businesses and foreign currency exchanges (32 M.R.S. §6146);
  • cash-dispensing machine operators (32 M.R.S. §6162);
  • collection agencies and repossession companies (32 M.R.S. §11018);
  • broker-dealers and investment advisers (32 M.R.S. §16411); and
  • settlement agencies (33 M.R.S. §528).

Each statute cited above provides that if the relevant actor is a financial institution, it must also comply with federal Privacy of Consumer Financial Information regulations as adopted by the federal regulators of financial institutions.

In addition, Maine law requires the Efficiency Maine Trust (a state-established trust) and municipalities and their designees to comply with the GLBA with respect to consumer financial information obtained in implementing property-assessed clean energy (PACE) mortgage programs. 35-A M.R.S. §10155(3).

4.3. Insurance

Maine has several privacy laws specific to the insurance sector.

Maine Insurance Information and Privacy Protection Act

General provisions

The Maine Insurance Information and Privacy Protection Act codified under §2201 et seq. of Chapter 24 of Title 24-A of the M.R.S. (Insurance Act), contains a host of privacy- and confidentiality-related rules for regulated insurance entities. These include a requirement that insurance entities provide standardized written notices regarding their privacy practices (24-A M.R.S. §2206). They must provide the notices to applicants, policyholders, and claimants at times specified in the statute (24-A M.R.S. §2206).

The Insurance Act also provides detailed limitations on the ability of several types of insurance-related organizations' ability to disclose information about consumers (24-A M.R.S. §2215).

Enforcement and penalties

Consumers harmed by the disclosure-related provisions of the Insurance Act may sue a wrongly disclosing insurance entity within a two-year statute of limitations period. The Insurance Act authorizes plaintiffs to recover damages with statutory interest, costs, and reasonable attorneys' fees (24-A M.R.S. §2217). The Insurance Act creates no private right of action for violations of its provisions other than its disclosure provisions (24-A M.R.S. §2217).

A person who knowingly obtains personal information from a regulated insurance entity under false pretenses is guilty of a Class D crime, subject to less than one-year imprisonment or a $2,000.00 fine (24-A M.R.S. §2219; 17-A §§1604 and 1704).

The Insurance Data Security Act

Overview

Maine enacted the Maine Insurance Data Security Act (Insurance Data Security Act), 24-A M.R.S. Chapter 24-B, in 2021. This Act is Maine's implementation of the National Association of Insurance Commissioners Insurance Data Security Model Law 668, a model statute adopted to varying degrees by multiple other states. The Insurance Data Security Act imposes certain obligations on licensees (insurers and other actors licensed by the State of Maine) and other duties on their third-party service providers.

Key definitions

Key defined terms in the Insurance Data Security Act include the following:

Consumer: An individual Maine resident whose nonpublic information is in a licensee's possession, custody, or control (§2263(2) of Chapter 24-B).

Publicly available information: Information that a licensee has a reasonable basis to believe is lawfully made available to the general public from widely distributed media, from government records, or from public disclosures that are required by applicable law (§2263(11) of Chapter 24-B).

Nonpublic information: Information that is not publicly available information and is (§2263(10) of Chapter 24-B):

  • business-related information of a licensee, which through tampering or unauthorized use, access, or disclosure would materially and adversely affect the licensee;
  • various types of personally identifiable information, including general contact information as well as health-related information.

Third-party service provider: A person that is not a licensee, but has a contract with a licensee through which the third-party stores, processes, maintains, or gains access to nonpublic information (§2263(11) of Chapter 24-B).

Written information security program: Licensees must implement robust written information security programs designed to safeguard nonpublic information that the licensees hold as well as the licensees' own information systems (§2264(1) and (2) of Chapter 24-B). These programs should also guard against foreseeable external threats and unauthorized access and must provide for the retention and period destruction of nonpublic information (§2264(2) of Chapter 24-B). The program must include a written incident response plan meeting detailed criteria set forth in the statute (§2264(8) of Chapter 24-B).

The statute leaves licensees with considerable discretion regarding the security program's specifics, but the program must be commensurate with a licensee's size, the scope and nature of its activities, and use of third-party service providers and other factors (§2264(1)) of Chapter 24-B.

A licensee must designate one or more employees (or affiliates or other persons) to take responsibility for the licensee's information security program (§2264(3)(A) of Chapter 24-B). The licensee has an ongoing duty to keep the information security program updated to keep pace with changes in technology, in the nature of nonpublic information held by the licensee, and other factors (§2264(7) of Chapter 24-B).

Risk assessment: A licensee must identify foreseeable internal and external threats that could result in unauthorized access, disclosure, and destruction of nonpublic information and assess the likelihood and potential damage of such threats (this article will refer to this assessment as the 'threat assessment') (§2264(3) of Chapter 24-B). The licensee must also assess the sufficiency of its practices and policies in light of this risk assessment (this article will refer to this second assessment as the 'practice assessment') and update the practice assessment at least annually (§2264(3) of Chapter 24-B).

Risk management: A licensee must design its information security program to mitigate the risks assessed under §2264(3) of Chapter 24-B (§2264(4)(A) of Chapter 24-B). The licensee must also consider an extensive list of potential best practices and implement any of them the licensee deems appropriate (§2264(4)(B) of Chapter 24-B).

Board oversight: Those licensees with boards of directors must (by the board or a board committee) require their executive management to comply with §2264(1) of Chapter 24-B (written information security program obligations) and report to the board at least annually on its compliance with the Insurance Data Security Act (§2264(5) of Chapter 24-B). A licensee's executive management may delegate these duties but must oversee and require written reports from those to whom they delegate them (§2264(5) of Chapter 24-B).

Third-party service providers: Licensees must exercise due diligence in selecting vendors and other third-party service providers. The licensee must contractually obligate such providers to implement information security practices (§2264(6) of Chapter 24-B).

Investigation of cybersecurity events: A licensee who learns of an actual or possible cybersecurity event must promptly investigate the matter. The statute provides detail regarding the investigation's conduct and post-investigation remedial measures and record-keeping (§2264(5) of Chapter 24-B).

Notification of cybersecurity events - Superintendent of Insurance

If a licensee determines that a cybersecurity event has occurred, it must notify the Superintendent of the Maine Bureau of Insurance (Superintendent) if the licensee's home state or state of domicile is Maine. Other licensees must notify the Superintendent if they reasonably believe that the cybersecurity event:

  • involves nonpublic information of 250 or more Maine consumers; and
  • either requires notice to a governmental or self-regulatory entity or is reasonably likely to materially harm a Maine consumer or the licensee's operation.

A licensee required to notify the Superintendent must do so within three days after learning of the cybersecurity event (§2266(1) of Chapter 24-B). The Insurance Data Security Act provides significant details regarding content that must appear in the notification (§2266(2) of Chapter 24-B).

The Insurance Data Security Act's provisions relating to notification to the Superintendent supersede any inconsistent provisions that might apply to a licensee under Maine's general data breach notification law, the Notice of Risk to Personal Data Act, codified under §1346 et seq. of Chapter 210-B of Title 10 of the M.R.S. (summarized below) (§2266(1) of Chapter 24-B).

Notification of cybersecurity events - consumers

Maine's general data breach law, the Insurance Data Security Act, governs a licensee's duties and notification obligations to consumers (§2266(3) of Chapter 24-B).

Notification of cybersecurity events - others

Licensees must also have notification obligations to third-party service providers, to insurers (in the case of reinsurers), or to producers of record (§2266(4) to (6) of Chapter 24-B).

Certification to the Superintendent

Each year, an insurance carrier must certify its compliance with the Insurance Data Security Act in writing to the Superintendent (§2264(9) of Chapter 24-B). For five years after each certification, the carrier must maintain and make available to the Superintendent for inspection all records supporting the certification (§2264(9) of Chapter 24-B).

Exceptions and application

A small business (a licensee with fewer than ten employees) is exempt from §2264 of Chapter 24-B of the Insurance Data Security Act but not its other provisions (§2264(1) of Chapter 24-B).

The Insurance Data Security Act also does not apply to certain licensees that are subject to HIPAA and the GLBA, provided some additional criteria are met (§2264(2) of Chapter 24-B).

Enforcement and penalties

The Superintendent enforces the Insurance Data Security Act (§2267 of Chapter 24-B). The Superintendent may order restitution to insureds and insurance applicants and may order injunctions (§12-A(2)(2-A), (6) of Chapter 1 of Title 24-A M.R.S.). Courts in actions by the Superintendent may assess civil penalties against licensees in amounts between $500 and $5,000 per violation (§2270 of Chapter 24-B; 24-A M.R.S. §12-A).

The Insurance Data Security Act neither creates a private cause of action for its violation nor curtails a private cause of action that would otherwise exist absent the Insurance Data Security Act (§2262 of Chapter 24-B).

5. EMPLOYMENT DATA

Maine law imposes several restrictions on employers relating to the privacy of employees and job applicants.

5.1 Pre-employment Social Security Number Requests

With limited exceptions, employers may not request a social security number from prospective employees. This prohibition does not apply where federal law requires otherwise, where an employer engages in substance use testing or in connection with a pre-employment background check. This provision does not bar requests for social security numbers after the employment relationship begins (§598-A of Chapter 7 of Title 26 of the M.R.S.).

5.2 Employee social media privacy

General provisions

Maine employers may not (26 M.R.S. §616):

  • require, coerce, or ask employees or applicants to
    • disclose passwords or other means of accessing their personal social media accounts; or
    • access their personal social media accounts in the employer's presence;
  • require or coerce employees or applicants to disclose any personal social media account information;
  • require or cause employees or applicants to:
    • add the employer or any other party to the employees' or applicant's personal social media contacts; or
    • alter personal account settings to make content visible to the employer; or
  • discharge or otherwise penalize employees for, or fail to hire an applicant for, their failure to take any of the actions that the sections above bar employers from requiring, coercing, or asking of them.

26 M.R.S. §616 does not apply to publicly available information (26 M.R.S. §617(1)). Nor does it limit screening, monitoring, and evidence retention activities that are required of employers in certain regulated industries (26 M.R.S. §617(2)). The statute also does not bar employers in certain investigations of alleged employee misconduct from requiring employees to disclose personal social media account information (26 M.R.S. §617(3)).

Finally, 26 M.R.S. §616 does not limit employers' power to adopt and enforce workplace policies that cover devices, software, and accounts owned or operated by the employer itself (26 M.R.S. §618).

Enforcement and penalties

The Maine Department of Labor enforces 26 M.R.S. §616. Employers are liable for fines of $100 or more for a first violation, $250 or more for a second violation, and $500 or more for each subsequent violation (26 M.R.S. §619).

6. ONLINE PRIVACY

Maine's internet privacy statute, An Act to Protect the Privacy of Online Customer Information, codified under §9301 of Chapter 94 of Title 35-A of the M.R.S., took effect on July 1, 2020 (Internet Privacy Act). The Internet Privacy Act applies to only one type of actor: Broadband Internet access service providers (35-A M.R.S. §9301(1)(D)). For those providers, the Internet Privacy Act's restrictions are robust.

Key definitions

Key defined terms in the Internet Privacy Act include:

Broadband Internet access service (BIAS): Means 'a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service' (35-A M.R.S. §9301(1)(A)).

Customer: A current or former BIAS subscriber or a BIAS applicant (35-A M.R.S. §9301(1)(AB).

Customer personal information: Personally identifying information about a customer, including name, social security number, billing address and information and demographic information, and information from a customer's use of BIAS, such as browsing history, application usage history, geolocation data, health and financial information, information about the customer's children, device identifiers, internet protocol (IP) addresses, and the customer's communications (35-A M.R.S. §9301(1)(C)).

Affirmative opt-in required before provider use and disclosure

With limited exceptions, a BIAS provider must secure a customer's consent before using, disclosing, selling, or allowing access to their customer's personal information (35-A M.R.S. §9301(1)(D)). Consent must be express and affirmative, and customers after providing consent may revoke it any time (35-A M.R.S. §9301(3)(A)). Providers may not financially penalize or refuse customers who decline to provide consent or provide them discounts based on consent (35-A M.R.S. §9301(3)(B)).

To the extent that providers collect from customers information that does not amount to customer personal information, the providers may freely use, disclose, sell, or permit access to such information (35-A M.R.S. §9301(3)(C)). On written notice from the customer from whom the provider collected that information, however, the provider may not avail itself of this provision (35-A M.R.S. §9301(3)(C)).

Exceptions to consent requirement

The Internet Privacy Act allows providers without customer consent to engage in several usages and disclosures of customer personal information. These exceptions allow the provider to provide the BIAS itself and bill customers for it, comply with court orders, and serve advertisements to customers whose personal information is at issue. The Internet Privacy Act also allows providers to protect their own services, or those of other providers, from unlawful, fraudulent, or abusive usage. Finally, providers may provide the customer's geolocation information to third parties in connection with medical, fire, and other emergency services (35-A M.R.S. §9304(F)).

Safeguarding customer personal information

Providers must take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access (35-A M.R.S. §9305). The Internet Privacy Act directs providers to consider, in complying with §9305, the nature and scope of the provider's activities, the sensitivity of the collected data, the provider's size, and the feasibility of the security measures (35-A M.R.S. §9305(A)).

Notice

Providers must give customers notice of the provider's obligations and the customer's rights conferred by 35-A M.R.S. §9305 (35-A M.R.S. §9306). The notice must be clear, conspicuous, and nondeceptive and must be made at the point of sale as well as on the provider's public website (35-A M.R.S. §9306).

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

General provisions

Chapter 224 of Title 10 of the M.R.S. is Maine's statute regulating unsolicited commercial email (spam). As noted below, Chapter 224 is likely pre-empted by the federal CAN-SPAM statute. As codified, however, the law requires senders of unsolicited commercial emails to display return email addresses that recipients can use to opt-out of future emails and to notify recipients that they can use those return addresses for that purpose (10 M.R.S. §1497(2), (3)). Senders must honor opt-out requests (10 M.R.S. §1497(4)). An unsolicited commercial email message's subject line must contain 'ADV:' as its first four characters. If the email contains information for viewing only by persons over 18 years old, the initial characters in the subject line must be 'ADV: ADLT.' (10 M.R.S. §1497(3)(A)). Finally, unsolicited commercial emails must identify their senders (10 M.R.S. §1497(3)(B)).

Enforcement and penalties

10 M.R.S. §1497 provides a private civil action against senders of emails that violate the statute. Recipients of such emails may seek injunctive relief, attorneys' fees and costs, and the greater of actual damages or $250 for each violation (10 M.R.S. §1497(7)). Email service providers whose services are used to send emails in violation of the statute may sue senders for injunctive relief, attorneys' fees, and costs and the greater of actual damages or $1,000 per violation (10 M.R.S. §1497(8)). In the case of willful or knowing violations, recipients and email service providers can recover punitive damages up to three times the actual or statutory damages (10 M.R.S. §1497(7), (8)).

Uncertain status of Maine statute

Maine is one of many US states that adopted laws regulating unsolicited email before the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) became law. CAN-SPAM pre-empts state laws that regulate commercial email except to the extent that the state laws prohibit false or deceptive content in an email (the 'savings clause'). 15 U.S.C. §1707(b)(1). Since CAN-SPAM's passage, courts have considered whether other states’ email laws fall within the savings clause or whether they are pre-empted. Courts have reached differing conclusions on that question, in part because of differences between the state statutes in question.

As of this article's publication date, Maine's §1497 has not been tested in any court. It is sufficiently similar to other state email laws that other courts have held pre-empted, however, that a Maine court would likely hold Maine's own law pre-empted in whole or in part.

8. PRIVACY POLICIES

Maine does not have a general law requiring individuals or entities to disclose privacy policies to customers, users of their services, or the public.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Maine's general data breach notification statute is the Notice of Risk to Personal Data Act under §1346 et seq. of Chapter 210-B of Part 3 of Title 10 of the M.R.S. This law applies to any person who maintains various categories of personal information.

Key definitions

Key defined terms in the Notice of Risk to Personal Data Act include:

Person: All individuals, business entities, and Maine state government agencies, among others (10 M.R.S. §1347(5)).

Unauthorized person: A person who lacks another person's permission to access personal information maintained by that other person or who accesses that same personal information by fraud, deception, or similar practices (10 M.R.S. §1347(8)).

Information broker: A person whose financially compensated business includes collecting, reporting, and taking other actions regarding individuals for the main purpose of providing personal information to non-affiliated third parties (10 M.R.S. §1347(3)).

Personal information: Any of the following, when not reacted or encrypted (10 M.R.S. §1347(6)):

  • an individual's first name or first initial and their last name when kept in combination with other types of identifying information (e.g. social security number, driver's license number, various types of payment information, and account passwords); or
  • those other types of identifying information when stored without name information but provide sufficient detail to allow third parties to assume an individual's identity, nonetheless.

Exempt from this definition is information from claims databases maintained by various insurers as well as many types of publicly available information 10 M.R.S. §1347(6)).

Security breach or breach of the security of the system: Unauthorized acquisition, release, or use of an individual's computerized data that includes personal information that compromises the security, confidentiality, or integrity of personal information of the individual that a 'person' maintains (10 M.R.S. §1347(1)). Certain good-faith disclosures are not deemed security breaches (10 M.R.S. §1347(1)).

Investigations and notifications after security breaches

All persons who maintain computerized data that includes personal information must conduct a prompt, good-faith, and reasonable investigation when they become aware of a security breach. That investigation must determine the likelihood that personal information has been misused or will be misused (10 M.R.S. §1348(1)). The person's post-investigation obligations differ depending on whether they are an information broker or any other person. An information broker must provide notice of the breach to a variety of third parties if the broker concludes or reasonably believes that a Maine resident's personal information has been acquired by an unauthorized person (10 M.R.S. §1348(1)(A)). All other persons must give notice to the same categories of third parties if their investigation determines that a Maine resident's personal information has been 'misused' or its misuse is reasonably possible (10 M.R.S. §1348(1)(B)).

In all cases that require notification, the person (information broker or otherwise) must proceed as follows. First, the person must notify state regulators (Department of Professional and Financial Regulation (DPFR)) in the case of persons regulated by that agency, or the AG for all other persons) (10 M.R.S. §1348(5)). If law enforcement thereafter directs the person to delay further public disclosure of the breach pending its own investigation, the person must comply but then must begin notifying affected Maine residents within seven days after notification from law enforcement that the further reporting will not compromise a criminal investigation (10 M.R.S. §1348(1) and (3)). If law enforcement does not direct the person to suspend further disclosure, then the person must notify affected Maine residents 'as expediently as possible and without reasonable delay' within a period capped at 30 days after the person's discovery of the breach (10 M.R.S. §1348(1)). The Maine residents who must receive notice are those in 10 M.R.S. §1348(1)(A) and (B), with different scopes for information brokers and other persons. If the person must notify more than one thousand Maine residents at once, then the person must also notify consumer reporting agencies of the incident (10 M.R.S. §1348(4)).

Actions by unauthorized persons

The Notice of Risk to Personal Data Act bars unauthorized persons from using or releasing personal information acquired through a security breach (10 M.R.S. §1347-A).

Safe harbor

A person is deemed compliant with the notification requirements under 10 M.R.S. §1348 if that person complies with the breach notification requirements imposed by another Maine law or by federal law, provided that that other law's notification provisions are at least as protective as those of 10 M.R.S. §1348 (10 M.R.S. §1349(4)).

Enforcement and penalties

The Notice of Risk to Personal Data Act does not create a private right of action. The DPFR enforces the law as to persons regulated or licensed by that Department. The AG enforces the law in all other cases (10 M.R.S. §1349(1)). Violations are subject to equitable relief and fines of $500 per violation (capped at $2,500 per day containing multiple violations) for most actors (10 M.R.S. §1349(2)). 10 M.R.S. §1349's penalties are cumulative, not pre-empting or affecting other rights or remedies under federal or state laws (10 M.R.S. §1349(3)).

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

10.1. Student Privacy - Overview

Maine has expressly incorporated into state law the federal Family Educational Rights and Privacy Act of 1975 (FERPA) and the federal Individuals with Disabilities Education Act of 1997 (IDEA) See 20-A M.R.S. §6001(1) (incorporation of FERPA and IDEA).

Maine also has two additional statutes restricting the use and disclosure of student-related information. The Student Information Privacy Act, (Student Privacy Act), codified under §951 et seq. of Chapter 13 of Title 20-A of the M.R.S., restricts certain uses and disclosures by private actors (operators). In addition, §6001 of Chapter 221 of Title 20-A of the M.R.S. places additional obligations on public schools and certain private schools.

10.2. Student Information Privacy Act

The Student Privacy Act limits the ability of 'operators' to use and disclose information relating to students and schools.

Key definitions

The primary type of information protected by the Student Privacy Act is 'student data,' defined as information collected and maintained at the individual student level within Maine (20-A M.R.S. §952(6)). Student data has two subsets in addition to the umbrella definition:

Data descriptive of a student including (20-A M.R.S. §952(6)(A)):

  • names and contact information of the student and their family members;
  • contact information that allows contact with the student or their family;
  • unique personal identifiers (sometimes assigned by the state of Maine);
  • the student's gender, race, ethnicity, and disability status;
  • 'indirect identifiers' that include the mother's maiden name and the student's date and place of birth;
  • information relating to a student's course transcripts, testing, attendance, movement between school districts, food purchases, and socioeconomic information; and
  • the student's emails, text messages, online search activity, photos, and other digital records.

Select other information consisting of information (20-A M.R.S. §952(6)(B)):

  • created or provided by an employee or agent of a school or school administrative unit, including information that the person provides to an operator in connection with 'kindergarten to grade 12 school purposes' (defined below);
  • created by a student or its parent, or provided to a school representative or an operator, in the course of using the operator's product for kindergarten to grade 12 school purposes; or
  • gathered by an operator through the operation of its product for kindergarten to grade 12 school purposes.

Practitioners will note that 20-A M.R.S. §952(6)(B) includes one category of student-related information and two categories that may not relate to students at all. A compliance or contracting approach that is limited solely to student-related information, therefore, may fail to comply with Maine law.

A second category of protected information, 'student personally identifiable information', is student data that alone or in combination is linked to a specific student and would let a reasonable person without knowledge of the relevant circumstances to identify that student (20-A M.R.S. §952(7)).

An 'operator' subject to the Student Privacy Act is an entity other than a department, school, or school administrative unit, to the extent that entity either (20-A M.R.S. §952(4):

  • collects, maintains, or uses student personally identifiable information; or
  • operates a website, mobile application, or some other software service with actual knowledge that that product is used for kindergarten to grade 12 school purposes and was designed and marketed for those purposes, to the extent that the operator is operating in that capacity.

The Student Privacy Act's other key defined terms include:

Eligible student: A student who is at least 18 years old or who is attending a postsecondary institution (20-A M.R.S. §952(2)).

Kindergarten to grade 12 school purposes: Purposes that take place at the direction of a school administrative unit, of a school or its teacher, or purposes that aid in the administration of school activities (20-A M.R.S. §952(3)).

Targeted advertising: Advertisements shown to a student when the advertisements are selected based on information obtained or inferred from that student's online activity, application usage, or student data. The statutory definition expressly excludes advertisements presented to a student at an online location (e.g. a website) based solely upon that student's own current visit to that location, but the definition includes other notable detail (20-A M.R.S. §952(8)).

General provisions

The Student Privacy Act imposes a host of prohibitions on operators. First, without digital or written authorization by an eligible student or a student's parent, operators may not knowingly (20-A M.R.S. §951(1)):

  • use student data to engage in targeted advertising in several defined circumstances;
  • use student data to amass a profile of a student for purposes other than kindergarten to grade 12 school purposes;
  • sell student data; or
  • disclose student personally identifiable information, except in cases of:
    • 'permitted disclosures' expressly authorized by 20-A M.R.S. §953(3); or
    • numerous other expressly authorized circumstances, including the operator's compliance with other legal obligations or sharing with downstream service providers who contractually undertake to protect the information in defined ways.

Expressly permitted disclosures

Notwithstanding 20-A M.R.S. §951(1), the Student Privacy Act provides operators with several safe harbors of expressly authorized usage and disclosure. First, operators may disclose personal data in the context of certain legitimate research activities and in other cases allowed or required by applicable law (20-A M.R.S. §953(3)(A)).

Second, operators may use student data to operate, support, and improve their websites and other products that they offer; deliver customized student learning services; to ensure legal and regulatory compliance; and generally, to recommend content within the operator's own product itself (20-A M.R.S. §953(3)(B)).

Finally, an operator may use and disclose aggregated student data and other data that omits personally identifying information to promote the operator's products and to provide and improve any of the operator's products (20-A M.R.S. §953(3)(C)).

Operator security practices

In addition to the restrictions in 20-A M.R.S.§953(1), operators must adopt and maintain reasonable security practices appropriate to the nature of the student data to protect it from unauthorized use, destruction, modification, or disclosure. An operator must also delete student data within 45 days of a deletion request from a school or a school administrative unit (20-A M.R.S. §951(2)).

Construction

The Student Privacy Act provides some rules of construction (20-A M.R.S. §953(4)). Among these rules, the statute does not bar a student or the student's parent from downloading the student's own data or documents from an operator's product; does not bar law enforcement from obtaining student data where the law otherwise allows; and does not obligate a third-party marketplace that offers an operator's software to review or enforce independently that operator’s compliance with the Student Privacy Act.

Enforcement

The Maine Commissioner of Education (Education Commissioner) enforces the Student Information Privacy Act (20-A M.R.S. §253(1)).

10.3. Restrictions Applicable to Schools and Public Entities

20-A M.R.S. §6001 restricts disclosures of student-related information by schools and certain public entities.

Key definitions

The key defined terms under 20-A M.R.S. §6001 include:

Personal information: Information that identifies a student, including the student's full name, photograph, personal biography, email address, home address, date of birth, social security number, and parents' names (20-A M.R.S. §6001(2)).

Education records: This term has the same meaning as FERPA provides in 20 U.S.C. §1232g(a)(4).

General provisions

Maine public schools may not publish on the internet, by themselves or via third parties, personal information about their students with those students' prior written approval (20-A M.R.S. §6001(2)).

Maine public schools and certain private schools may disseminate education records of juveniles to criminal justice agencies and certain agencies responsible for the juvenile's health or welfare (20-A M.R.S. §6001(3)). These schools may only do so, however, if the juvenile has not been adjudicated as having committed a juvenile crime and the education records are relevant to, and disseminated for the purpose of creating and maintaining, a plan for the juvenile's rehabilitation (20-A M.R.S. §6001(3)).

The agencies receiving education records under 20-A M.R.S. §6001(3) may not further disseminate them except as the law provides and must make certifications about their confidentiality obligations to the disseminating school.

Enforcement

The Education Commissioner enforces 20-A M.R.S. §6001 (20-A M.R.S. §253(1)).


1. State v. Gulick, 2000 ME 170, 759 A.2d 1085, 1087 n.3 (quoting State v. Tarantino, 587 A.2d 1095, 1098 (Me.1991)).

2. Berthiaume's Estate v. Pratt, 365 A.2d 792, 795 (Me. 1976) (citing Prosser, Law of Torts, §804 (4th ed. 1971)).

3. Berthiaume's Estate, 365 A.2d at 795 (citing Allen v. Rossi, 128 Me. 201, 146 A. 692, 693 (1929), Barber v. Time, Inc., 348 Mo. 1199, 159 S.W.2d 291 (1942))).

4. Nelson v. Maine Times, 373 A.2d 1221, 1225 (Me. 1977) (quoting Restatement of the Law, Second of Torts ('Rest. (2nd) of Torts) §6521).

5. Id.

6. Cole v. Chandler, 2000 Me. 104, ¶ 17, 752 A.2d 1189, 1197 (quoting Rest. (2nd) of Torts §652E (1977)); see also Garey v. Stanford Mgmt., 2024 Me. 46, ¶ 17, 2024 WL 3034545, at *4.

7. Garey, 2024 Me. at ¶ 17, 2024 WL 3034545, at *4.

8. Cole, 2000 Me. At ¶ 17, 752 A.2d at 1197 (quoting Rest. (2nd) of Torts §652D cmt. a (1977)).

9. Davis v. Theriault, 2023 WL 5628193 (D. Maine Aug. 31, 2023), at *67.

10. Garey, 2024 Me. at ¶ 17.

11. Davis v. Theriault, 2023 WL 5628193 (D. Maine Aug. 31, 2023), at *67.

12. Nelson v. Maine Times, 373 A.2d 1221, 1223 (Me. 1977) (quoting Rest. (2nd) of Torts §652B)).

13. Nelson, 373 A.2d at 1223.

14. Thayer v. Reed, 2011 WL 2682723 (D. Maine July 11, 2011) (quoting Rest. (2nd) of Torts §652B cmt. a)).

15. Lougee Conservancy v. CitiMortgage, Inc., 2012 Me. 103, 18, 48 A.3d 774, 782 (citing Knight v. Penobscot Bay Med. Ctr., 420 A.2d 915, 917–18 (Me.1980), and Berthiaume's Estate, 365 A.2d at 795)).

16. Lougee Conservancy, 2012 Me. at ¶ 19.

17. Nelson, supra, 373 A.2d at 1225 (quoting Rest. (2nd) of Torts §652D)).

18. Id.

19. Id.

20. Deangelis v. Maine Educ. Ass'n, No. CV-03-493, 2004 WL 1925543, at *4 (Me. Super. June 30, 2004) (citing Loe v. Town of Thomaston, 600 A.2d 1090, 1093 (Me.1991)).

21. Davis, supra, 2023 WL 5628193 at *67 (citing Stokes v. Barnhart, 257 F. Supp. 2d 288, 295 (D. Me. 2003)).

22. Nelson, supra, 373 A.2d at 1223-24 (quoting Rest. (2nd) of Torts §652C).

23. Id. (quoting Rest. (2nd) of Torts §652C cmt d)).

24. Nelson, supra, 373 A.2d at 1224 (citing Cason v. Baskin, 155 Fla. 198, 20 So.2d 243, 251 (1945)).

25. Fitch v. Stanley, No. CIV.A. CV-04-78, 2005 WL 3678033, at *1 (Me. Super. Dec. 16, 2005) (citing Rest. (2nd) Torts §652C, cmt b)).

26. State v. Strong, 2013 ME 21, ¶¶ 17-18, 60 A.3d 1286, 1291.

27. Id. *1291 n. 4.

28. Bonney v. Stephens Mem'l Hosp., 2011 ME 46, 20, 17 A.3d 123, 128.

29. Id.