Although Maine has a new state law to protect consumers in the event of an online security breach, William Lund, director of the Maine Office of Consumer Credit Regulation, said Tuesday that he was "struck by some weaknesses" in the measure in light of the Hannaford breach.

For example, the law only takes effect if so-called personal identifying information is lost or stolen. In this case, no names were stolen, so technically the law did not require Hannaford to notify officials of the breach.

The law also covers only stolen or lost computer data, so information found through "Dumpster diving" or mail theft wouldn't be covered. A third weakness, he said, is that there is a "sort of open-ended time period" for a retailer to disclose the breach, pending an investigation.

"There is some question about this time period," he said, "especially for financial institutions when every day may result in losses that they may have to cover.

"Out of this situation, in future Legislatures, you may see some of these addressed," Lund said.

The Hannaford breach will also provide an opportunity for state officials to analyze just how much a breach like this costs the parties involved, he said.