tit. Several other financial institutions reported that they first learned of data breaches directly from their card or data service processors (e.g., Elan, Metavante and Fair Isaac), and one reported learning of the breach through the Maine Association of Community Banks (MACB). Sample of Notice: ARX Patient Solutions Data Breach Notification Letters. Any of the above data elements when not in connection with the individuals first name, or first initial, and last name, if the information compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised. These are known as the Payment Card Industry Security Standard (the PCI Standard). 10 1346. enact a data breach notification law on March 28, 2018. Electronic Maine Security Breach Reporting Form Maine Data Breach Notices (12/6/2018 - 9/14/2020) (MS Excel) Maine Data Breach Notices (8/1/2010 - 12/5/2018)(MS Excel) Customer Communications (a) initial notification (b) subsequent communications( (c) public media(3. Nevertheless, despite its weaknesses the aggregate data are considered representative of costs to Maine financial institutions in response to the subject data breaches. The Hannaford fraud losses occurred in more than 712 accounts (five of the 22 institutions that suffered a fraud loss did not report the number of accounts). The Federal Trade Commission has a great deal of helpful guidance for businesses to help with the task of keeping customer information . (Table 2) TABLE 2 EXPENSE SUMMARY TJXHannafordOtherTotal$%$%$%$%Investigation71.614.8184.911.613.421.3269.912.6Communication72.615.0218.613.713.221.1304.514.2Reissuance285.158.8859.553.919.531.11,164.254.3Net Fraud36.27.5299.518.80.40.6336.115.7Other19.64.032.92.116.225.968.83.2TOTAL485.2100.01,595.4100.062.8100.02,143.5100.0 $ in thousands. The first part was comprised of twelve questions to which financial institutions provided narrative responses. (1) Except as otherwise provided in subsection (d) of this section, any data collector that owns or licenses computerized personally identifiable information or login credentials shall notify the consumer that there has been a security breach following discovery or notification to the data collector of the breach. As our access to information increases, our concerns about financial privacy should increase as well. Tables 7 and 8 also show that there is no correlation between cards reissued or total assets and net fraud losses in either the TJX breach or the Hannaford breach. The focus of the study is on those breaches that were reportable under Maine's new data breach law known as the Notice of Risk to Personal Data Act, 10 M.R.S.A. Recent Amendments to State Breach Notification Laws A person is guilty of the class D crime of Misuse of Identification if they knowingly present a credit or debit card that is stolen, forged, canceled or obtained as a result of fraud or deception. Dont store sensitive info on computers with internet connections, Regularly run anti-spyware and anti-virus programs, Encrypt sensitive data you send to outside entities and consider encrypting data you store (might still get hacked, but hacker cant use data), Require employees to use passwords and make sure they are strong passwords, and always change default passwords when you get new software, Use Firewalls to protect your computers while they are connected to the internet, Employee background checks and training and good exit procedures when an employee leaves (e.g. Shred paper documents, make shredders easily available. Also figure out who has access to that information currently and decide whether they really need it. Chapter 210-B for each breach that occurred at the financial institution. Maryland Amends Data Security and Breach Notice Obligations ASP MWI Holdings Inc. - MW Industries, Inc. American Express Travel Related Services Company, Rehoboth McKinley Christian Health Care Services. Maines Act Regarding Identity Theft Deterrence, 10 M.R.S.A. In a minority of cases, financial institutions provided their customers with the option of having their cards replaced. If allowed to sue as third party beneficiaries, financial institutions may receivesome compensation for breach of contract. 5310, 2 titled "An Act Concerning Data Breaches," which expands the state data breach law's definition of "personal data" and shortens its breach notification deadline. Security breach notice requirements . For the Hannaford breach, gross fraud losses of $318,213 were reported by 22 institutions with three institutions reporting fraud recoveries of $18,698. Data Breach Notifications - Maine Title 10, 1347: Definitions - Maine State Legislature Responses In the case of the financial institution at which the breach occurred, the financial institutions risk management team was promptly notified by the employee responsible for the inadvertent breach. For any other person, the standard is met if the investigation shows that misuse of a Maine residents personal information has occurred or if it is reasonably possible that such misuse will occur. Thus, the Data Act implicitly requires entities subject to it to take steps to prevent future breaches. Definitions. Losses sustained as a result of actual fraudulent or unauthorized transfers from accounts. Any individual, corporation, business trust, estate, trust, partnership, association, nonprofit corporation or organization, cooperative, state agency or any other legal entity (collectively, Entity) that owns or licenses computerized data that includes PI. The non-fraud expenses were more concentrated in a few institutions in the TJX breach than in the Hannaford breach as five institutions accounted for 39% of total expenses (excluding fraud) in the former vs. 20% in the Hannaford breach. The Bureau, in summarizing the responses, thus organized the data breaches as follows whenever possible: the TJX data breach, the Hannaford data breach, and other data breaches. Relevant red flags include alerts, notifications or other warnings from consumer reporting agencies or fraud detection services. The Q&A also addresses the types of information protected by statute and enforcement mechanisms. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system. Any individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of state government, the University of Maine System, the Maine Community College System, Maine Maritime Academy, and private colleges and universities, or any information broker, which means a person who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing PI to nonaffiliated third parties (collectively, Entity) that maintains computerized data that includes PI. See Table 8. Data Breach Notifications - Maine HYPERLINK https://maine-securemail.net/s/login?b=stateofmaine https://maine-securemail.net/s/login?b=stateofmaine If you have any questions, contact Christian Van Dyck at (207) 624-8574. Bay Shore Brightwaters Rescue Ambulance, Inc. requires people who maintain computerized personal data (such as SSNs, Drivers license or state ID numbers, Account, credit and debit card numbers) who become aware of a security breach to conduct in good faith a reasonable and, Any other business maintaining personal info must notify residents whose personal data has been. Responses The purpose of this question was to capture any relevant activity conducted by financial institutions not covered elsewhere in the survey questions. 1. Answers to questions can be compared across a number of jurisdictions (see. The agencies within the Department of Professional and Financial Regulation enforce the Data Act as to entities under their respective jurisdiction. interpretation of Maine law to the public. If content on this page is inaccessible and you would like to request the information in a different format, please contact (207) 626-8800 and it will be provided to you. Do not include a cost in one category if it has been included in another category. ( Item 2(c). Includes all forms of internal and external communications, as well as call center costs. For each breach, the Bureau asked each financial institution to identify/specify how many accounts at the financial institution were breached, and how many customers were affected by the breach. Maines Data Breach Law is typical of many other state laws in defining what type of lost personal information requires notification. It also includes Maine government agencies, municipalities, school administrative units, the University of Maine System, the Maine Community College System, Maine Maritime Academy, and private colleges and universities. However, in cases where entities are regulated by the Department of Professional and Financial Regulation, such as financial institutions, the relevant Bureau within the Department is responsible for enforcement. Sisterhood, Sequoia One PEO LLC and delivering notice on behalf of clients of Sequoia Benefits and Insurance Services, LLC, d/b/a Sequoia Consulting Group, Florida State College at Jacksonville Foundation. Managed Markets Insight & Technology, LLC. Information Dynamics Incorporated dba SinglePoint, Supplemental Income Trust Fund; MonRoc Administrators LLC, Concord Hospitality Enterprises Company, LLC, Resource Anesthesiology Associates of NM Inc, Franklin Park Conservatory and Botanical Gardens, Coastal Realty Capital d/b/a Maine Capital Group o/b/o Maine Capital Group and Approved Home Mortgage, California Physicians' Services d/b/a Blue Shield of California (BSC), W.W. Wallwork, Inc. and its affiliates Wallwork Truck Center, Wallwork Financial Corporation, Valley Imports, and Advanced Auto Body, CSI Financial Services, LLC ("ClearBalance"), American Federation of Musicians and Employers' Pension Fund, Baywood Medical Associates, PLC dba Desert Pain Institute, BluePearl Specialty + Emergency Pet Hospital, Greater New York Mutual Insurance Company, Terrier Media Buyer, Inc. dba Cox Media Group, Island Hotel Company Limited doing business as Atlantis Paradise Island, Diamond International Galleries, Inc. (DIG), Fiondella, Milone & LaSaracina LLP, on behalf of itself and relevant Data Owner(s), Burrelles Information Services LLC DBA Burrelles, The Society of Chartered Property Casualty Underwriters, TMX Finance Corporate Services, Inc., on behalf of itself, its parent TMX Finance LLC and its affiliates, many of which operate under the brands TitleMax, TitleBucks, and InstaLoan (collectively, TMX), Fiondella, Milone & LaSaracina LLP, on behalf of relevant data owner(s), The Public School and Education Employee Retirement Systems of Missouri, Cali Pet Nutrients LLC dba Ultimate Pet Nutrition. Last, if an agency at the Department of Professional and Financial Regulation regulates the person giving notice, that person must also notify the applicable regulatory agency. Art Center Inc. dba Northwest College of Art & Design, Massachusetts Cannabis Control Commission, Dr. Scott Heinlein Andrew, DPM d/b/a Affiliated Foot & Ankle Center, New Precision Technology, LLC / dba USI, Inc, Parkview Health System, Inc. ("Parkview"), WECC Holdings, Inc. d/b/a Watson Electrical, Apprentice and Journeymen Training Trust Fund of the Southern California Plumbing & Piping Industry, Pavese, Haverfield, Dalton, Harrison, & Jensen LLP d/b/a Pavese Law Firm, Mason Tenders District Council Welfare Fund, Annuity Fund, and Pension Fund, Carefree of Colorado, a Division of Scott Fetzer Company, NYSARC, Inc. Columbia County Chapter dba COARC, E.T. Notification and Protection Services Type of Notification: Written Date (s) of consumer notification: 05/26/2023 Copy of notice to affected Maine residents: MCNA - ME Individual Notice Letters.pdf Date of any previous (within 12 months) breach notifications: N/A Were identity theft protection services offered: Yes Indirect costs are any costs that are not considered direct costs, such as lost productivity. The notification must be made as expediently as possible and without unreasonable delay, but not more than 30 days after the person is aware of the breach and has identified its scope. American Health Information Management Association (AHIMA), CPR AED Course LLC dba American Health Care Academy, Cowboy Bancshares Inc. d/b/a Bank of Kremlin, Emery Accounting LLC dba Accounting Solutions of Idaho, Noblr, Inc. for Noblr Risk Management, LLC as attorney-in-fact for Noblr Reciprocal Exchange, The American Civil Liberties Union of Massachusetts, Anderson's residential interior and exterior painting, Rugged Solutions America, LLC d/b/a Rugged Notebooks, Soft Drink & Brewery Workers Union Local 812 Retirement Fund, Cycle Express, LLC dba National Powersport Auctions, Sunrise Global Marketing LLC d/b/a Greenworks Tools, Digital Insurance, LLC doing business as OneDigital, The Producer Group, LLC (TPG) D/B/A The Todd Organization, J Wavro Associates Inc. & J. Wavro Property Management Company, VF Outdoor, LLC doing business as Timberland, NAR Training, LLC DBA North American Rescue Education and Training, Central Texas Medical Specialists PLLC dba Austin Cancer Centers, Brown Brothers Harriman & Co. and its affiliates ("BBH"), Jordan Health Products, LLC d/b/a Avante Health Solutions. A Q&A guide to state data breach notification laws in Maine. > Consumer Information > Privacy, Identity Theft and Data Security Breaches > Data Breach Notifications. In 2005, the Federal regulatory agencies also updated their Guidance entitled, Authentication in an Electronic Banking Environment (the updated Authentication Guidance) originally issued in 2001. Most of the time, this happens when someone outside your organization (i.e. Those conducting investigations should use their best judgment, based on what they know at the time, in deciding whether the misuse standard has been met. Because of the publicity surrounding the TJX and Hannaford data breaches, several financial institutions were able to identify the source of the breach without reference to any alert. d/b/a Lazarus Naturals, Midjit Market, Inc. dba Green Valley Grocery, Five Guys Enterprises, LLC / Five Guys Operations, LLC. c) Responsibilities of other non-financial institution entities Although far less comprehensive, non-financial institutions are subject to some control over their use and storage of customer data. Minn. Stat. hZg hZg >* CJ UVmH nH uhZg hZg >* CJ j hZg hZg >* CJ U 7 C ] ^ _ ` a b c $ $ Ha$gd` 0 H $ Ha$ $a$ - 2139, the Bureau of Financial Institutions, in consultation with the Maine Credit Union League, the Maine Association of Community Banks, the Maine Bankers Association and the New England Financial Services Association, was mandated to conduct a study of the impact of data security breaches on Maine banks and credit unions since January 1, 2007 that have or should have been reported under Maines Notice of Risk to Personal Data Act. Be as specific as possible, e.g., entity name where the breach occurred (including the name of your financial institution, if applicable), or, if unavailable, the entity type, date or code number, as indicated on any CAMS (Compromised Account Management System) or similar fraud alerts. CAMs alerts were the only alert mentioned by name. r d~ j j r j j V V V V V EMBED Word.Picture.8 MAINE DATA BREACH STUDY Pursuant to Resolve 2007, Chapter 152 Prepared by the Staff of The Maine Bureau of Financial Institutions November 24, 2008 John Elias Baldacci Anne L. Head Governor Commissioner Lloyd P. LaFountain III Superintendent DATA BREACH STUDY TABLE OF CONTENTS INTRODUCTION PART I: CURRENT LAWS AND REGULATIONS RELATING TO DATA PROTECTION AND RECOVERY 1) Disclosure of data breach 1 a) Maines Notice of Risk to Personal Data Act 1 b) Federal guidelines 2 2) Protection of data 3 a) Federal guidelines for banks and credit unions 3 b) Requirements of the Fair Credit Reporting Act 4 c) Responsibilities of non-financial institution entities 5 d) The PCI Standard 5 3) Recovery from data breach 6 a) State and federal laws protecting consumers from fraud loss 6 b) Compensable damages under common law 7 c) Statutory liability for data breach losses: other States 9 d) Federal data breach legislation 10 PART II: STUDY FINDINGS 1) Responses by Maine financial institutions to incidents of data breach 11 a) Introduction 11 b) Narrative questions and summary of responses 12 2) Costs Incurred by Maine financial institutions due to incidents of data breach 18 Conclusion 24 APPENDIX A: Data Security Breach Questions 25 APPENDIX B: Resolve 30 INTRODUCTION The Bureau of Financial Institutions (the Bureau) was required by Resolve 2007, chapter 152, to study the impact of data security breaches on Maine banks and credit unions, including financial institutions response to data breaches and the actual costs and expenses incurred by financial institutions as a result of such breaches. In 2006, suits brought by Sovereign Bank and BankNorth, N.A. These actions help prevent identity theft, defined in the guidelines as a fraud committed or attempted by using the identifying information of another person without authority. Goodwill Industries of Greater New York and Northern NJ, Inc. Lourdes University, Sisters of St. Francis of Sylvania, Various Data Owners, As Identified in Appendix to Letter, Berkshire Farm Center & Services for Youth, Legacy Operating Company d/b/a Legacy Hospice, The New York City Convention Center Operating Corporation d/b/a Javits Center, Donlen Corporation, now known as Sellerco Corporation, Vivendi Ticketing US LLC (d/b/a See Tickets US), The Research Foundation for the State University of New York. Home The Court held that the economic loss rule barred the financial institutions' negligence claim because they claimed damages only for economic losses, not for damages to persons or property. 42-3160) and Discount Shoe Warehouse (In the matter of DSW Inc., FTC File No. The Bureaus survey contained two parts. With respect to the TJX breach, the lowest number of accounts affected at an individual financial institution was 26 and the highest number was 5,460. 052-3069). For each breach that occurred at your financial institution, describe how and when the breach was first detected within your financial institution. (The court found that BJs had breached its contract with VISA, more particularly, VISAs operating regulations which include the Cardholder Information Security Program, or CISP, providing for security requirements relating to the protection of cardholder information.) ], 3. Type of Notification: Written Date (s) of consumer notification: 05/15/2023-5/18/2023 Copy of notice to affected Maine residents: Notification Letter Template.pdf Date of any previous (within 12 months) breach notifications: Were identity theft protection services offered: Yes The Data Act requires information brokers and others to notify customers when unauthorized persons obtain personal data that could result in identity theft. b) Federal guidelines Pursuant to Maines Data Breach Law, financial institutions that comply with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law are deemed to be in compliance with the requirements of Maines Data Breach Law as long as the law to which the financial institution is subject is at least as protective as Maines Data Breach Law. 7001 (E-Sign Act). Texas Medical Liability Trust on behalf of itself and its affiliates, Texas Medical Insurance Company, Physicians Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group (collectively TMLT). computers, storage discs or tapes, flash drives, Blackberries, computerized phone systems. Develop a record retention policy that helps employees know what they need to keep and for how long, and that they shouldnt be keeping anything else. Risk to Personal Data FAQs. Various data breach notification laws have also been passed in other states in response to a growing national concern about identity theft in the wake of several large and well publicized data breaches. We understand that exact dollar amounts may not be known for all expenses incurred and therefore the use of estimated costs, if explained, is acceptable. The answer depends on whether the case involves an information broker or any other person.