Security Breach Notification Law in the State of Montana

Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321 is a security breach notification law that was passed in the U.S. state of Montana in 2006 and later amended in 2015. Under Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321, business entities and organizations within Montana must provide data breach notifications to all affected parties in instances where a security breach occurs. Moreover, the law also empowers the Montana attorney general with the authority to impose penalties against business entities that fail to adhere to the provisions established in the law, which includes monetary penalties and legal actions.

How is a security breach defined under Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321?

Under Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321, a security breach is defined as “any unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by the Entity and causes or is reasonably believed to cause loss or injury to an MT resident.” On the other end of the spectrum, the “good-faith acquisition of PI by an employee or agent of the Entity for the purpose of the Entity is not a breach of the security of the data system, provided that the PI is not used or subject to further unauthorized disclosure.”

What are the security breach notification requirements under the law?

Under Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321, a business entity that conducts operations within the state of Montana is responsible for providing security breach notifications to all affected individuals should such an incident take place. These notifications must be provided to residents of Montana without unreasonable delay, and must provide said residents with information concerning the scope and severity of the breach in question, as well as any steps that have been taken by the affected entity to restore the reasonable integrity of the data system that sustained the breach, among other things.

Moreover, in instances where business entities provide Montana consumers with security breach notifications that suggest, indicate, or imply that affected individuals obtain a copy of their credit report, said entities are also required to “coordinate with the credit reporting agency as to the timing, content, and distribution of notice to the individual (but this may not unreasonably delay disclosure of the breach).” Furthermore, business entities must also provide notifications to both the Montana attorney general and the Montana insurance commissioner in the event that a security breach takes place.

What types of personal information are covered under the law?

Under the provisions of Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321, the following types of personal information are legally covered should a security breach occur, in combination with a Montana resident’s first name or first initial and last name, in instances where the following data elements have not been encrypted or redacted:

• Social security numbers.
• Drivers license numbers, state identification cards, tribal identification card numbers.
• Financial account numbers and credit and debit card numbers, as well as any required passwords, access codes, and security codes that could be used to permit access to an individual’s financial account.
• “Medical record information as defined in 33-19-104 (Personal information that: (a) relates to an individual’s physical or mental condition, medical history, medical claims history, or medical treatment; and (b) is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.)”
• Taxpayer identification numbers.
• Identity protection personal identification numbers that are issued by the U.S. IRS.

What are the penalties for violating the law?

The provisions set forth in Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321 are enforced by the Montana attorney general. With this being said, the Montana attorney general has the authority to impose the following punishments against business entities and individuals that fail to maintain compliance with the law:

• Monetary damages.
• A short-term or permanent injunction.
• A restraining order.

As security breaches have become an inevitable reality due to the online nature of our current society, legislation such as Mont. Code § 2-6-1501 et seq, 30-14-1704 et seq., 33-19-321 ensures that American citizens can protect themselves should a security breach occur. Whether it be in the form of monetary damages or restraining orders, the Montana attorney general can impose a number of punishments against businesses and organizations within the state that are found to be in violation of the law. As such, residents of Montana can rest assured that they have the legal means to protect themselves in the event that personal information pertaining to them is compromised during or as a result of a security breach.