As used in this chapter, unless the context otherwise indicates, the following terms have the following meanings. [PL 2021, c. 24, §1 (NEW).]
1. Authorized individual. “Authorized individual” means an individual whose access to the nonpublic information held by a licensee and its information systems is authorized and determined by the licensee to be necessary and appropriate.

[PL 2021, c. 24, §1 (NEW).]

Ask an insurance law question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

Terms Used In Maine Revised Statutes Title 24-A Sec. 2263

  • Authorized individual: means an individual whose access to the nonpublic information held by a licensee and its information systems is authorized and determined by the licensee to be necessary and appropriate. See Maine Revised Statutes Title 24-A Sec. 2263
  • Beneficiary: A person who is entitled to receive the benefits or proceeds of a will, trust, insurance policy, retirement plan, annuity, or other contract. Source: OCC
  • Consumer: means an individual, including but not limited to an applicant for insurance, policyholder, insured, beneficiary, claimant or certificate holder, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody or control. See Maine Revised Statutes Title 24-A Sec. 2263
  • Cybersecurity event: means an event resulting in unauthorized access to, disruption of or misuse of an information system or information stored on an information system. See Maine Revised Statutes Title 24-A Sec. 2263
  • health insurance: means insurance of human beings against bodily injury, disablement or death by accident or accidental means, or the expense thereof, or against disablement or expense resulting from sickness, and every insurance appertaining thereto, including provision for the mental and emotional welfare of human beings by defraying the costs of legal services only to the extent provided for in chapter 38. See Maine Revised Statutes Title 24-A Sec. 704
  • Information security program: means the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic information. See Maine Revised Statutes Title 24-A Sec. 2263
  • Information system: means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as an industrial or process control system, a telephone switching and private branch exchange system or an environmental control system. See Maine Revised Statutes Title 24-A Sec. 2263
  • Jurisdiction: (1) The legal authority of a court to hear and decide a case. Concurrent jurisdiction exists when two courts have simultaneous responsibility for the same case. (2) The geographic area over which the court has authority to decide cases.
  • Licensee: means a person licensed, authorized to operate or registered or required to be licensed, authorized or registered pursuant to the insurance laws of this State. See Maine Revised Statutes Title 24-A Sec. 2263
  • Multifactor authentication: means authentication through verification of at least 2 of the following types of authentication factors:
A. See Maine Revised Statutes Title 24-A Sec. 2263
  • Nonpublic information: means information that is not publicly available information and is:
  • A. See Maine Revised Statutes Title 24-A Sec. 2263
  • Public law: A public bill or joint resolution that has passed both chambers and been enacted into law. Public laws have general applicability nationwide.
  • Publicly available information: means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:
  • A. See Maine Revised Statutes Title 24-A Sec. 2263
  • Risk assessment: means the risk assessment that a licensee is required to conduct under section 2264, subsection 3. See Maine Revised Statutes Title 24-A Sec. 2263
  • Third-party service provider: means a person that is not a licensee and that contracts with a licensee to maintain, process or store or otherwise is permitted access to nonpublic information through its provision of services to the licensee. See Maine Revised Statutes Title 24-A Sec. 2263
  • 2. Consumer. “Consumer” means an individual, including but not limited to an applicant for insurance, policyholder, insured, beneficiary, claimant or certificate holder, who is a resident of this State and whose nonpublic information is in a licensee’s possession, custody or control.

    [PL 2021, c. 24, §1 (NEW).]

    3. Cybersecurity event. “Cybersecurity event” means an event resulting in unauthorized access to, disruption of or misuse of an information system or information stored on an information system.
    “Cybersecurity event” does not include the unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released or used without authorization.
    “Cybersecurity event” does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.

    [PL 2021, c. 24, §1 (NEW).]

    4. Encrypted. “Encrypted,” with respect to data, means that the data has been transformed into a form that results in a low probability of assigning meaning without the use of a protective process or key.

    [PL 2021, c. 24, §1 (NEW).]

    5. Information security program. “Information security program” means the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic information.

    [PL 2021, c. 24, §1 (NEW).]

    6. Information system. “Information system” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as an industrial or process control system, a telephone switching and private branch exchange system or an environmental control system.

    [PL 2021, c. 24, §1 (NEW).]

    7. Insurance carrier. “Insurance carrier” has the same meaning as in section 2204, subsection 15.

    [PL 2021, c. 24, §1 (NEW).]

    8. Licensee. “Licensee” means a person licensed, authorized to operate or registered or required to be licensed, authorized or registered pursuant to the insurance laws of this State. “Licensee” does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer and is domiciled in another state or jurisdiction.

    [PL 2021, c. 24, §1 (NEW).]

    9. Multifactor authentication. “Multifactor authentication” means authentication through verification of at least 2 of the following types of authentication factors:
    A. Knowledge factors, such as a password; [PL 2021, c. 24, §1 (NEW).]
    B. Possession factors, such as a token or text message on a mobile telephone; and [PL 2021, c. 24, §1 (NEW).]
    C. Inherence factors, such as a biometric characteristic. [PL 2021, c. 24, §1 (NEW).]

    [PL 2021, c. 24, §1 (NEW).]

    10. Nonpublic information. “Nonpublic information” means information that is not publicly available information and is:
    A. Business-related information of a licensee the tampering with or unauthorized disclosure of, access to or use of which would materially and adversely affect the business, operations or security of the licensee; [PL 2021, c. 24, §1 (NEW).]
    B. Information that, because of name, number, personal mark or other identifier, can be used in combination with any one or more of the following data elements to identify a consumer:

    (1) Social security number;
    (2) Driver’s license number or nondriver identification card number;
    (3) Financial account number or credit or debit card number;
    (4) Any security code, access code or password that would permit access to a consumer’s financial account; or
    (5) Biometric records; or [PL 2021, c. 24, §1 (NEW).]
    C. Information or data, except age or gender, in any form or medium created by or derived from a health care provider or a consumer and that relates to:

    (1) The past, present or future physical, mental or behavioral health or condition of a consumer or a member of the consumer’s family;
    (2) The provision of health care to a consumer; or
    (3) Payment for the provision of health care to a consumer. [PL 2021, c. 24, §1 (NEW).]
    “Nonpublic information” does not include a consumer’s personally identifiable information that has been anonymized using a method no less secure than the so-called safe harbor method under the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

    [PL 2021, c. 24, §1 (NEW).]

    11. Publicly available information. “Publicly available information” means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:
    A. Federal, state or local government records; [PL 2021, c. 24, §1 (NEW).]
    B. Widely distributed media; or [PL 2021, c. 24, §1 (NEW).]
    C. Disclosures to the general public that are required to be made by federal, state or local law. [PL 2021, c. 24, §1 (NEW).]
    For the purposes of this definition, a licensee has a reasonable basis to believe that information is lawfully made available to the general public if the licensee has taken steps to determine that the information is of a type that is available to the general public and if a consumer can direct that the information not be made available to the general public and, if so, that the consumer has not done so.

    [PL 2021, c. 24, §1 (NEW).]

    12. Risk assessment. “Risk assessment” means the risk assessment that a licensee is required to conduct under section 2264, subsection 3.

    [PL 2021, c. 24, §1 (NEW).]

    13. Third-party service provider. “Third-party service provider” means a person that is not a licensee and that contracts with a licensee to maintain, process or store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.

    [PL 2021, c. 24, §1 (NEW).]

    SECTION HISTORY

    PL 2021, c. 24, §1 (NEW).