Montana Data Breach Notification Law has been updated to expand the definition of “personal information” and also require notice to the state attorney general’s consumer protection office. A data breach is generally a security incident in which sensitive, protected, or confidential data is copied, transmitted, stolen, viewed, or used by an individual unauthorized to do so. Data breaches can occur due to human error, deliberate hacking, or criminal cyber attacks. According to the Montana Department of Justice, over 100,000 Montana citizens have been victims of data breaches in the past year. Pursuant to Montana Code Annotated § 30-14-1704, businesses and state agencies are required to notify affected Montana residents if data breaches affect their personal information.

Montana Data Breach Notification Law

Under this statute, a “breach of the security of the data system” is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained the business, and causes, or reasonably believed to cause, loss or damage to a Montana resident. For the purposes of this statute, personal information includes an individual’s first and last names, combined with one or more of the following:

1. a social security number;
2. driver’s license number, state identification card number, or tribal number;
3. an account number, or credit or debit card number, in combination with any required security code, access code, or password;
4. medical record information as defined in 33-19-104;
5. taxpayer identification number; or
6. an identity protection personal identification number issued by the U.S. Internal Revenue Service (IRS).  

When a Montana resident’s information becomes compromised, § 33-19-104 requires notice to the affected consumer via written notice, electronic notice (if consistent with 15 U.S.C. 7001), telephone notice, or substitute notice. The business is required to notify a Montana resident if an unauthorized person acquired the resident’s personal information. Notice is also required if there is a reasonable belief of unauthorized acquisition. The notice should include the date(s) of the breach or probable breach and identify those elements of personal information that were likely acquired. The notice must also be sent to the Attorney General’s Office of Consumer Protection. If more than one Montana resident is affected, the business must indicate how many Montana residents were notified.

For information about cyber security, contact Revision Legal’s team of experienced data breach attorneys through the form on this page or call 855-473-8474.
Image courtesy of Flickr user Blue Coat Photos