Montana Data Breach Notification Law featured image

Montana Data Breach Notification Law

by John DiGiacomo

Partner

Montana Data Breach Notification Law has been updated to expand the definition of “personal information” and also require notice to the state attorney general’s consumer protection office. A data breach is generally a security incident in which sensitive, protected, or confidential data is copied, transmitted, stolen, viewed, or used by an individual unauthorized to do so. Data breaches can occur due to human error, deliberate hacking, or criminal cyber attacks. According to the Montana Department of Justice, over 100,000 Montana citizens have been victims of data breaches in the past year. Pursuant to Montana Code Annotated § 30-14-1704, businesses and state agencies are required to notify affected Montana residents if data breaches affect their personal information.

Montana Data Breach Notification Law

Under this statute, a “breach of the security of the data system” is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained the business, and causes, or reasonably believed to cause, loss or damage to a Montana resident. For the purposes of this statute, personal information includes an individual’s first and last names, combined with one or more of the following:

  1. a social security number;
  2. driver’s license number, state identification card number, or tribal number;
  3. an account number, or credit or debit card number, in combination with any required security code, access code, or password;
  4. medical record information as defined in 33-19-104;
  5. taxpayer identification number; or
  6. an identity protection personal identification number issued by the U.S. Internal Revenue Service (IRS).  

When a Montana resident’s information becomes compromised, § 33-19-104 requires notice to the affected consumer via written notice, electronic notice (if consistent with 15 U.S.C. 7001), telephone notice, or substitute notice. The business is required to notify a Montana resident if an unauthorized person acquired the resident’s personal information. Notice is also required if there is a reasonable belief of unauthorized acquisition. The notice should include the date(s) of the breach or probable breach and identify those elements of personal information that were likely acquired. The notice must also be sent to the Attorney General’s Office of Consumer Protection. If more than one Montana resident is affected, the business must indicate how many Montana residents were notified.

For information about cyber security, contact Revision Legal’s team of experienced data breach attorneys through the form on this page or call 855-473-8474.
Image courtesy of Flickr user Blue Coat Photos

Extra, Extra!
Recent Posts

Fairness Factors For Your College NIL Agreement

Fairness Factors For Your College NIL Agreement

Corporate

In May 2025, as part of a settlement of litigation involving college football, a new entity was created called the College Sports Commission (“CSC” or “Commission”). See news media reports here and here. Among many other purposes, the CSC will monitor and approve name, image, and likeness (“NIL”) agreements for college athletes. As the term […]

Read more about Fairness Factors For Your College NIL Agreement

Is a “Fanciful” Trademark the Best Type of Trademark?

Is a “Fanciful” Trademark the Best Type of Trademark?

Trademark

Trademarks are words, designs, symbols, logos, and other things that are used/associated with goods or services that identify the specific commercial source of the goods/services. COCA-COLA, APPLE, and GUCCI are just a few famous examples. If COCA-COLA is on the bottle, consumers know what to expect from the beverage in the bottle. The same for […]

Read more about Is a “Fanciful” Trademark the Best Type of Trademark?

Put Revision Legal on your side