§ 24-A §2263 — Definitions

Maine § 24-A §2263

• Jurisdiction: Maine
• Title 24-A: MAINE INSURANCE CODE
• Ch. 24-B: MAINE INSURANCE DATA SECURITY ACT

Text

As used in this chapter, unless the context otherwise indicates, the following terms have the following meanings.
1.
Authorized individual.
"Authorized individual" means an individual whose access to the nonpublic information held by a licensee and its information systems is authorized and determined by the licensee to be necessary and appropriate.
1-A.
Ancillary service provider.
"Ancillary service provider" means a person that is not a licensee and that contracts with a 3rd-party service provider or with another ancillary service provider to maintain, process or store nonpublic information obtained from the licensee or is otherwise permitted access to nonpublic information obtained from the licensee through its provision of services to the 3rd-party service provider or other ancillary service provider.
2.
Consumer.
"Consumer" means an individual, including but not limited to an applicant for insurance, policyholder, insured, beneficiary, claimant or certificate holder, who is a resident of this State and whose nonpublic information is in a licensee's possession, custody or control.
3.
Cybersecurity event.
"Cybersecurity event" means an event resulting in unauthorized access to, disruption of or misuse of an information system or information stored on an information system.
4.
Encrypted.
"Encrypted," with respect to data, means that the data has been transformed into a form that results in a low probability of assigning meaning without the use of a protective process or key.
5.
Information security program.
"Information security program" means the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic information.
6.
Information system.
"Information system" means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as an industrial or process control system, a telephone switching and private branch exchange system or an environmental control system.
7.
Insurance carrier.
"Insurance carrier" has the same meaning as in section 2204, subsection 15.
8.
Licensee.
"Licensee" means a person licensed, authorized to operate or registered or required to be licensed, authorized or registered pursuant to the insurance laws of this State. "Licensee" does not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a licensee that is acting as an assuming insurer and is domiciled in another state or jurisdiction.
9.
Multifactor authentication.
"Multifactor authentication" means authentication through verification of at least 2 of the following types of authentication factors:
10.
Nonpublic information.
"Nonpublic information" means information that is not publicly available information and is:
11.
Publicly available information.
"Publicly available information" means information that a licensee has a reasonable basis to believe is lawfully made available to the general public from:
12.
Risk assessment.
"Risk assessment" means the risk assessment that a licensee is required to conduct under section 2264, subsection 3.
13.
Third-party service provider.
"Third-party service provider" means a person that is not a licensee and that contracts with a licensee to maintain, process or store or otherwise is permitted access to nonpublic information through its provision of services to the licensee.

Legislative History

PL 2021, c. 24, §1 (NEW). PL 2025, c. 348, §29 (AMD).