On May 19, Maine Governor John Baldacci signed legislation limiting the time that breach notification may be delayed following a determination by law enforcement that providing notice will not compromise a criminal investigation. The provision, which will take effect 90 days after the close of the Legislature’s 2009 session (scheduled to occur on June 17), will limit the permissible delay to seven business days.

Pursuant to Maine’s current breach notification law, entities that become aware of a breach “shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused.” If the entity concludes, following its investigation, that notification to affected individuals is required, notice may be delayed if a law enforcement agency determines that notice would “compromise a criminal investigation.” Once the law enforcement agency concludes that notification will not compromise its criminal investigation, the entity will have no more than seven business days to provide notice of the breach to affected individuals.

Text of the legislation, L.D. 970, is available here.