Maine
Table of Contents
- Identity Theft Statistics
- Top Ten Report Categories
- Top Identity Theft Types
- Fraud & Other Reports by Metropolitan Area
- Maine’s Recent Biggest Data Breaches
- What Should You Do if You Are in a Breach?
- Step-by-Step Process for Responding to a Data Breach
- Responsibilities of Companies that Have Been Breached
- Laws
- Resources
Data breaches occur when an unauthorized party infiltrates a system that handles or stores personal information. Though organizations are legally bound to protect this information, cybercriminals still develop ways to access, steal, and sell this information. Maine ranks 47th in the number of people who have suffered data breaches and lost $18,968,567 in 2023. These breaches relate to financial, education, retail, and healthcare facilities. That is, by hacking, malware, phishing, ransomware, or general denial of service attacks.
Identity Theft Statistics
Reports
Reports
Losses
Top Ten Report Categories
Top Identity Theft Types
Maine's Recent Biggest Data Breaches
Pension Benefit Information Data Breach
In May 2023, Progress Software, which works with Pension Benefit Information, disclosed a vulnerability that had been exploited by an unauthorized party. An investigation began to determine the types of information exposed. PBI's investigation found that the information involved in the event, which could have been subject to unauthorized access, included names, partial mailing addresses, Social Security details, and dates of birth. This incident affected 1,912 individuals. PBI issued a notice letter of the event to all who were affected. The letter carried an offer to provide credit monitoring and identity restoration to all who were affected for two years.
Houser LLP Data Breach
In May 2023, Houser determined that particular files on its computer systems became encrypted without its consent. With the assistance of an external forensic specialist, Houser launched an investigation to assess the scope of the breach. This investigation showed the unauthorized party may have infiltrated and deleted copies of stolen data. This information included names, Social Security numbers, financial account numbers, tax identification details, and medical information. Houser also provided a written notice of the event to the 1483 affected residents courtesy of the breach. Houser has since implemented additional safeguards relating to privacy and its network. It also provided those affected with credit monitoring and identity protection for twelve months.
Alliance Solutions Group, LLC Data Breach
In May 2023, Talent Launch, the business name for Alliance Solutions, discovered unauthorized access to its networks due to a cybersecurity event resulting in the exposure of company information. When Tallent Launch learned about the event, the organization took steps to secure its system and mitigate further harm. Talent Launch also engaged the assistance of some cybersecurity experts to handle the investigation. From their initial review of the hack, it was determined that names, in combination with financial or credit card numbers, were accessed. Security, access codes, passwords, and pins may also be exposed. There was no evidence to suggest that the information obtained was used to commit fraud, but the 14,051 affected were advised to check their accounts regularly. Talent Launch also provided those affected with complimentary credit monitoring for twelve months.
Newton Public Schools Data Breach
In March 2023, Newport Public Schools discovered an unauthorized party accessed their network. Immediately, this came to light; they shut down the system and initiated an investigation with external cybersecurity experts to determine the cause of the breach. They concluded their assessment in February 2024, finding that specific personal information files may have been exposed. Some of the exposed information included full names and Social Security numbers, though 10,545 Maine residents were affected. The organization also issued notification letters to all who may have been affected. They also provided 12 months of complimentary credit-free monitoring and identity theft protection.
ROMWE Data Breach
In September 2020, ROMWE discovered some of their consumer information had been posted on the dark web. ROMWE immediately retained the services of an external cybersecurity expert to investigate the situation. It determined that some customer usernames and passwords were stolen from their computer network. These passwords may have been used to access ROMWE account data, including names, phone numbers, and emails. The 26,294 affected Maine residents were advised to reset their usernames and passwords. ROMWE also provided them with credit monitoring and identity theft protection services.
What Should You Do if You Are in a Breach?
Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.
Unfamiliar
Credit Card Charges
If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.
Calls from
Debt Collectors
Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.
New Credit Cards
or Loans in Your Name
A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.
Surprise Credit
Score Drops
Sudden credit drops with no obvious cause are a sign of suspicious activities.
Unusual Activity on Your
Social Security Account
The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.
Inability to
Sign-in to Accounts
If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.
Step-by-Step Process for Responding to a Data Breach
Contact Local Law Enforcement
As an individual or a business, report the incident to the police and file a police report.
Assess and Secure Compromised Areas
Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.
Contain the Breach
Isolate the affected system to prevent further damage.
Create New, Strong Passwords for All Accounts
This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.
Notify Affected Institutions
Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.
Update Security on Digital Accounts
Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.
Check for Malware
Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.
Freeze Your Credit
In cases of identity theft, contact all credit bureaus to freeze your credit.
Monitor Your Mail and Credit Reports
Keep an eye out for any unauthorized changes in your mail.
Engage Legal Assistance When Applicable
If you are a business, consider hiring a law firm experienced in handling data breaches.
Responsibilities of Companies that Have Been Breached
Personal data breaches must be reported immediately after they have been revealed. Businesses are required to report these data breaches to Maine residents within 30 days of discovering the scope of the breach. However, if law enforcement requests that more time be given because notification would interfere with their investigation, it is possible to delay issuing the letters. Notification may be done in three ways: written letters, telephone calls, or electronic notices. A substitute notice may be provided if the business does not have sufficient contact details concerning everyone affected. Similarly, a substitute notice is permitted if the entity has to alert more than one thousand individuals or the cost exceeds $5,000. That is by email, a conspicuous posting of the incident on the business's website, and alerting the statewide media outlets.
Along with notifications to Maine residents, entities must notify the Maine Attorney General and the Department of Professional & Financial Regulation. If the number of those to be notified is more than 1,000, then the business has to alert nationwide consumer reporting agencies. Entities that comply with security breach notification regulations because of their own protocols of timing and issuing alerts will be deemed to comply.
Businesses that violate notification requirements are subject to penalties of $500 per violation. Penalties will be issued at a maximum of $2,500 per day. The Office of the Attorney General will enforce penalties.
Laws
- Maine law Title 10, §1348 deals with the security breach notification requirements. That is notification to residents and delay exceptions such as by law enforcement.
- The Maine Data Privacy and Protection Act requires businesses to abide by strong minimization. That prevents the collection and processing of information that is not reasonably required for the provision of specific goods and services to the clientele.
Resources
- Newton Public Schools Data Breach Notification
- Pension Benefit Information, LLC Data Breach notification
- Houser LLP Supplemental Notice of Data Event
- Talent Launch LLC data breach notification
- US Customer Notification – ROMWE Data Breach
- 131st Maine Legislature, Second Regular Session, An Act to Create the Data Privacy and Protection Act
- Title 10: Commerce and Trade; Part 3: Regulation of Trade, Chapter 210-b: notice of risk to personal data