Partner
Montana Data Breach Notification Law has been updated to expand the definition of “personal information” and also require notice to the state attorney general’s consumer protection office. A data breach is generally a security incident in which sensitive, protected, or confidential data is copied, transmitted, stolen, viewed, or used by an individual unauthorized to do so. Data breaches can occur due to human error, deliberate hacking, or criminal cyber attacks. According to the Montana Department of Justice, over 100,000 Montana citizens have been victims of data breaches in the past year. Pursuant to Montana Code Annotated § 30-14-1704, businesses and state agencies are required to notify affected Montana residents if data breaches affect their personal information.
Under this statute, a “breach of the security of the data system” is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained the business, and causes, or reasonably believed to cause, loss or damage to a Montana resident. For the purposes of this statute, personal information includes an individual’s first and last names, combined with one or more of the following:
When a Montana resident’s information becomes compromised, § 33-19-104 requires notice to the affected consumer via written notice, electronic notice (if consistent with 15 U.S.C. 7001), telephone notice, or substitute notice. The business is required to notify a Montana resident if an unauthorized person acquired the resident’s personal information. Notice is also required if there is a reasonable belief of unauthorized acquisition. The notice should include the date(s) of the breach or probable breach and identify those elements of personal information that were likely acquired. The notice must also be sent to the Attorney General’s Office of Consumer Protection. If more than one Montana resident is affected, the business must indicate how many Montana residents were notified.
For information about cyber security, contact Revision Legal’s team of experienced data breach attorneys through the form on this page or call 855-473-8474.
Image courtesy of Flickr user Blue Coat Photos
Montana’s breach notification statute creates concrete obligations that businesses operating in the state — or holding data of Montana residents — must satisfy. Understanding the statute’s contours is essential to avoiding civil liability and regulatory action.
Montana Code Annotated § 30-14-1704 applies to any person or entity that owns or licenses computerized data that includes personal information about a Montana resident. Critically, the law is not limited to businesses physically located in Montana. If you maintain a database with Montana residents’ personal information — whether you are incorporated in Delaware, headquartered in California, or operating entirely online — you are subject to Montana’s notification requirements when a breach occurs.
Notification is required when there is (1) unauthorized acquisition of computerized data that (2) materially compromises the security, confidentiality, or integrity of personal information, and (3) that acquisition causes or is reasonably believed will cause loss or damage to a Montana resident. A mere theoretical possibility of unauthorized access — without evidence of actual acquisition — may not trigger the statute. Conversely, if you discover that a third party accessed your systems and downloaded records containing personal information, the duty to notify is almost certainly triggered.
Montana requires notice to affected residents in the most expedient time possible and without unreasonable delay. The statute does not impose a specific number of days, but best practice — and the standard applied in enforcement actions — is to notify within 30 to 45 days of discovering the breach. Acceptable methods of notification include: written notice sent by first-class mail; electronic notice consistent with the E-Sign Act (15 U.S.C. § 7001), and only if the resident has previously consented to electronic communications; telephone notice provided directly to the resident; and substitute notice, permitted when the cost of direct notification exceeds $250,000, more than 500,000 residents must be notified, or the business does not have sufficient contact information. Substitute notice requires email, conspicuous website posting, and notice to major statewide media.
One of the most significant features of Montana’s updated statute is the requirement to notify the Montana Attorney General’s Office of Consumer Protection whenever more than one Montana resident is affected by a breach. That notice must include the number of Montana residents affected and, ideally, the categories of personal information compromised. Failing to notify the AG in addition to affected individuals is a separate compliance failure that can trigger independent regulatory scrutiny.
Montana’s statute, while comprehensive, differs from other state laws in important ways. California’s Consumer Privacy Act (CCPA) creates a private right of action for certain data breaches and allows statutory damages of $100 to $750 per consumer per incident. New York’s SHIELD Act requires businesses to implement a reasonable data security program and has a broader definition of private information. Illinois’ Biometric Information Privacy Act (BIPA) creates significant exposure for businesses collecting biometric data without consent. When a breach affects residents of multiple states, businesses must simultaneously comply with the notification laws of each affected state — a complex undertaking that benefits from coordinated legal counsel.
The Montana Attorney General can bring a civil action against a business that violates the notification statute. Violations can constitute an unfair or deceptive act or practice under Montana’s Consumer Protection Act (MCA § 30-14-111), exposing the violator to civil penalties and, in some circumstances, treble damages and attorney fee awards. Individual plaintiffs may also bring claims if they suffer actual harm traceable to the business’s failure to notify.
If your business has suffered a data breach affecting Montana residents, or if you want to ensure your data security program satisfies Montana’s notification requirements, Revision Legal’s data breach attorneys can help. Contact us through the form on this page or call 855-473-8474.
Compliance with Montana’s data breach notification statute begins long before any breach occurs. Businesses that maintain personal information about Montana residents should conduct a data inventory to identify what personal information they hold, where it is stored, who has access, and how it is protected. This inventory is the foundation for a data security program tailored to the actual risks the business faces. Businesses should also implement a written information security policy — sometimes called a WISP — that establishes technical, physical, and administrative safeguards appropriate to the size and complexity of the organization and the sensitivity of the personal information it handles. A documented security program does more than reduce the risk of a breach; it provides powerful evidence in any subsequent regulatory investigation or litigation that the business acted reasonably and in good faith in protecting consumer data. Revision Legal’s data breach attorneys regularly assist businesses in developing and reviewing information security programs designed to satisfy both Montana’s requirements and those of other states where their customers reside.
EMV chip credit cards were supposed to reduce fraud, but questions remain about their effectiveness. Here’s what chipped cards protect against and where vulnerabilities remain.
Read more about Are New Chipped Credit Cards Safe From Fraud?
Cyber attacks fall into two categories: active attacks that disrupt systems and passive attacks that silently steal data. Here’s how each type works and how to defend against them.
Read more about Active vs Passive Cyber Attacks Explained
Advanced persistent threats are sophisticated, long-term cyber attacks targeting organizations for data theft or disruption. Here’s how APTs work and how businesses can defend themselves.
Read more about What Are Advanced Persistent Threats?