Montana Computer Security Breach (Mont. Code Ann. § 30-14-1701 - § 30-14-1704)

Montana Computer Security Breach

Mont. Code Ann. § 30-14-1701 - § 30-14-1704

 

SUMMARY:

EFFECTIVE.  March 1, 2006

WHO DOES THIS LAW APPLY TO.  (1) Any person or business that conducts business in Montana and owns or licenses computerized data that includes Personal Information; and (2) any person or business that maintains computerized data that includes Personal Information on Montana residents.

WHAT IS A BREACH.  Unauthorized acquisition of computerized data that materially compromises the security, integrity or confidentiality of Personal Information maintained by a person or business which causes or is reasonably likely to cause loss or injury to a Montana resident. 

WHAT IS PERSONAL INFORMATION.  An individual’s first name or first initial and last name, in combination with any one or more of the following data elements when either the name or data element is not encrypted:

  • Social Security Number or any other number issued by the IRS.
  • Insurance policy number.
  • Driver’s license number, state identification card number, or tribal identification number.
  • Account number, credit card number or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
  • Medical record information that includes physical or mental condition, medical history, medical claims history, or medical treatment, that is either obtained from a medical profession, medical care institution, individual, spouse, parent, or legal guardian.

Personal Information does not include information that is lawfully available from Federal, State, or local government records.

WHO TO NOTIFY OF THE BREACH.  Notification of the breach must be sent to the affected residents. If the notice states or implies that the individual may obtain a copy of their file from a consumer credit reporting agency, the person or business giving notice shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice.  Such coordination may not unreasonably delay notice to the affected residents.  Entity must also electronically submit a copy of the notification and a statement providing the date, method of distribution of the notification to residents and provide the number of residents who received notification, to the Attorney General’s consumer protection office, excluding any personally identifiable information.

EXCEPTIONThis Section does not apply to the following:

  • A good faith acquisition of Personal Information by an employee or agent of the entity for internal purposes only is not a breach, if it is not used for an unrelated purpose, or subject to further unauthorized disclosure.
  • A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person or business in accordance with its policies.

WHEN TO NOTIFY OF THE BREACHNotification must be sent when the person or business discovers or is notified of a security breach.  The disclosure shall be made without unreasonable delay consistent with the needs of law enforcement or any measures necessary to determine the scope of the breach, and to restore the reasonable integrity of the data system.  Notification may be delayed if law enforcement determines it will impede a criminal investigation, and it is requested.  In that instance, notification must be made following clearance by law enforcement. 

HOW TO NOTIFY OF THE BREACH.  Notice may be provided by one of the following methods:

  • Written.
  • Telephonic.
  • Electronic (if consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
  • Substitute notice as provided below.

SUBSTITUTE NOTICE AVAILABLE.  If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used.  Substitute notice shall consist of all of the following:

  • Email notice if the entity has an Email address for the individual(s) subject to notice.
  • Conspicuous posting of the notice on the website of the entity if one is maintained.
  • Notification to local or statewide media.

NOTICE TO THIRD-PARTIES.  If a person or business maintains computerized data which includes Personal Information that it does not own, then the person or business shall notify the owner or licensee of the security breach immediately upon discovery.  The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s). 

CONSEQUENCES FOR FAILING TO NOTIFYAny failure to comply with the provisions of this Section is considered a violation of the Montana Consumer Protection Act.  Any person or business which violates this Section is subject to the following:

  • A court order obtained by the State to temporarily or permanently restrain or prohibit further violations.
    • Any person or business which violates the court order is subject to a fine of up to $10,000.
  • If a court finds that a person or business has willfully violated this Section, it may be fined up to $10,000 per violation.
  • Any person or business that is convicted of fraud shall be fined up $5,000 per violation and/or sentenced up to a year in jail.

Monetary penalties are cumulative.

PRIVATE RIGHT OF ACTIONNone provided in the statute.

REQUIREMENTS OF REASONABLE SECURITY MEASURES

DATA DISPOSAL PROVISIONSMont. Code Ann. § 30-14-1703.  A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer necessary to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.

LEGISLATIVE UPDATES.

H.B. 732 – Signed into law on 4/28/2005, Effective 3/1/2006.

H.B. 74 – Signed into law on 2/27/2015, Effective 10/1/2015.

 

CITATION:

Montana Code Annotated 2021

TITLE 30. TRADE AND COMMERCE

CHAPTER 14. UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION

Part 17. Impediment of Identity Theft

30-14-1701 Purpose

30-14-1702 Definitions

30-14-1703 Record destruction

30-14-1704 Computer security breach

 

30-14-1701. Purpose. The purpose of 30-14-1701 through 30-14-1705, 30-14-1712, and 30-14-1713 is to enhance the protection of individual privacy and to impede identity theft as prohibited by 45-6-332.

History: En. Sec. 4, Ch. 518, L. 2005; amd. Sec. 3, Ch. 276, L. 2007.

 

30-14-1702. Definitions. As used in 30-14-1701 through 30-14-1705, 30-14-1712, and 30-14-1713, unless the context requires otherwise, the following definitions apply:

(1) (a) "Business" means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or any other country or the parent or the subsidiary of a financial institution. The term includes an entity that destroys records. The term also includes industries regulated by the public service commission or under Title 30, chapter 10.

(b) The term does not include industries regulated under Title 33.

(2) "Customer" means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.

(3) "Electronic mail message" means a message sent to a unique destination, commonly expressed as a string of characters, consisting of a unique user name or electronic mailbox and a reference to an internet domain, whether or not displayed, to which an electronic message can be sent or delivered.

(4) "Individual" means a natural person.

(5) "Internet" has the meaning provided in 2-17-551.

(6) "Internet services provider" has the meaning provided in 2-17-602.

(7) "Personal information" means an individual's name, signature, address, or telephone number, in combination with one or more additional pieces of information about the individual, consisting of the individual's passport number, driver's license or state identification number, insurance policy number, bank account number, credit card number, debit card number, passwords or personal identification numbers required to obtain access to the individual's finances, or any other financial information as provided by rule. A social security number, in and of itself, constitutes personal information.

(8) (a) "Records" means any material, regardless of the physical form, on which personal information is recorded.

(b) The term does not include publicly available directories containing personal information that an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

(9) "Website" means an electronic location that has a single uniform resource locator or other single location with respect to the internet.

History: En. Sec. 5, Ch. 518, L. 2005; amd. Sec. 4, Ch. 276, L. 2007.

 

30-14-1703. Record destruction. A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer necessary to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.

History: En. Sec. 6, Ch. 518, L. 2005.

 

30-14-1704. Computer security breach. (1) Any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3), or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(2) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data system immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person.

(3) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay in notification. The notification required by this section must be made after the law enforcement agency determines that it will not compromise the investigation.

(4) For purposes of this section, the following definitions apply:

(a) "Breach of the security of the data system" means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal information is not used or subject to further unauthorized disclosure.

(b) (i) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(A) social security number;

(B) driver's license number, state identification card number, or tribal identification card number;

(C) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;

(D) medical record information as defined in 33-19-104;

(E) a taxpayer identification number; or

(F) an identity protection personal identification number issued by the United States internal revenue service.

(ii) Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(5) (a) For purposes of this section, notice may be provided by one of the following methods:

(i) written notice;

(ii) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001;

(iii) telephonic notice; or

(iv) substitute notice, if the person or business demonstrates that:

(A) the cost of providing notice would exceed $250,000;

(B) the affected class of subject persons to be notified exceeds 500,000; or

(C) the person or business does not have sufficient contact information.

(b) Substitute notice must consist of the following:

(i) an electronic mail notice when the person or business has an electronic mail address for the subject persons; and

(ii) conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; or

(iii) notification to applicable local or statewide media.

(6) Notwithstanding subsection (5), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and that does not unreasonably delay notice is considered to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the data system.

(7) If a business discloses a security breach to any individual pursuant to this section and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual. The coordination may not unreasonably delay the notice to the affected individuals.

(8) Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general's consumer protection office, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.

History: En. Sec. 7, Ch. 518, L. 2005; amd. Sec. 3, Ch. 180, L. 2007; amd. Sec. 3, Ch. 62, L. 2015.

 

 

For more information, see here:  https://www.leg.mt.gov/bills/mca/title_0300/chapter_0140/part_0170/sections_index.html

AND

https://dojmt.gov/consumer/data-breaches-businesses/

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.