Montana Impediment of Identity Theft
Mont. Code Ann. § 30-14-1701, et seq.
Montana Code Annotated 2021
TITLE 30. TRADE AND COMMERCE
CHAPTER 14. UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION
Part 17. Impediment of Identity Theft
30-14-1701 Purpose
30-14-1702 Definitions
30-14-1703 Record destruction
30-14-1704 Computer security breach
30-14-1705 Department to restrain unlawful acts -- penalty
30-14-1706 through 30-14-1711 reserved
30-14-1712 Fraudulent electronic misrepresentation -- penalties -- exemption
30-14-1713 Remedies for fraudulent electronic misrepresentation
30-14-1714 through 30-14-1720 reserved
30-14-1721 Identity theft impediments -- credit cards -- definition
30-14-1722 Identity theft impediments -- credit card renewal -- telephone accounts
30-14-1723 through 30-14-1725 reserved
30-14-1726 Definitions
30-14-1727 Placement of security freeze
30-14-1728 Consumer reporting agency requirements
30-14-1729 Temporary lifting of security freeze -- consumer requirements -- consumer reporting agency duties -- notification
30-14-1730 Consumer reporting agency security freeze removal procedures -- notification
30-14-1731 Third-party contacts
30-14-1732 Security freeze removal procedure
30-14-1733 Notice of rights
30-14-1734 Exceptions -- exemptions
30-14-1735 Fees
30-14-1736 Violations – penalties
30-14-1701. Purpose. The purpose of 30-14-1701 through 30-14-1705, 30-14-1712, and 30-14-1713 is to enhance the protection of individual privacy and to impede identity theft as prohibited by 45-6-332.
History: En. Sec. 4, Ch. 518, L. 2005; amd. Sec. 3, Ch. 276, L. 2007.
30-14-1702. Definitions. As used in 30-14-1701 through 30-14-1705, 30-14-1712, and 30-14-1713, unless the context requires otherwise, the following definitions apply:
(1) (a) "Business" means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or any other country or the parent or the subsidiary of a financial institution. The term includes an entity that destroys records. The term also includes industries regulated by the public service commission or under Title 30, chapter 10.
(b) The term does not include industries regulated under Title 33.
(2) "Customer" means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.
(3) "Electronic mail message" means a message sent to a unique destination, commonly expressed as a string of characters, consisting of a unique user name or electronic mailbox and a reference to an internet domain, whether or not displayed, to which an electronic message can be sent or delivered.
(4) "Individual" means a natural person.
(5) "Internet" has the meaning provided in 2-17-551.
(6) "Internet services provider" has the meaning provided in 2-17-602.
(7) "Personal information" means an individual's name, signature, address, or telephone number, in combination with one or more additional pieces of information about the individual, consisting of the individual's passport number, driver's license or state identification number, insurance policy number, bank account number, credit card number, debit card number, passwords or personal identification numbers required to obtain access to the individual's finances, or any other financial information as provided by rule. A social security number, in and of itself, constitutes personal information.
(8) (a) "Records" means any material, regardless of the physical form, on which personal information is recorded.
(b) The term does not include publicly available directories containing personal information that an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.
(9) "Website" means an electronic location that has a single uniform resource locator or other single location with respect to the internet.
History: En. Sec. 5, Ch. 518, L. 2005; amd. Sec. 4, Ch. 276, L. 2007.
30-14-1703. Record destruction. A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information that is no longer necessary to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.
History: En. Sec. 6, Ch. 518, L. 2005.
30-14-1704. Computer security breach. (1) Any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3), or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(2) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data system immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
(3) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay in notification. The notification required by this section must be made after the law enforcement agency determines that it will not compromise the investigation.
(4) For purposes of this section, the following definitions apply:
(a) "Breach of the security of the data system" means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal information is not used or subject to further unauthorized disclosure.
(b) (i) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) social security number;
(B) driver's license number, state identification card number, or tribal identification card number;
(C) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
(D) medical record information as defined in 33-19-104;
(E) a taxpayer identification number; or
(F) an identity protection personal identification number issued by the United States internal revenue service.
(ii) Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(5) (a) For purposes of this section, notice may be provided by one of the following methods:
(i) written notice;
(ii) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001;
(iii) telephonic notice; or
(iv) substitute notice, if the person or business demonstrates that:
(A) the cost of providing notice would exceed $250,000;
(B) the affected class of subject persons to be notified exceeds 500,000; or
(C) the person or business does not have sufficient contact information.
(b) Substitute notice must consist of the following:
(i) an electronic mail notice when the person or business has an electronic mail address for the subject persons; and
(ii) conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; or
(iii) notification to applicable local or statewide media.
(6) Notwithstanding subsection (5), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and that does not unreasonably delay notice is considered to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the data system.
(7) If a business discloses a security breach to any individual pursuant to this section and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual. The coordination may not unreasonably delay the notice to the affected individuals.
(8) Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general's consumer protection office, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.
History: En. Sec. 7, Ch. 518, L. 2005; amd. Sec. 3, Ch. 180, L. 2007; amd. Sec. 3, Ch. 62, L. 2015.
30-14-1705. Department to restrain unlawful acts -- penalty. (1) Whenever the department has reason to believe that a person has violated this part and that proceeding would be in the public interest, the department may bring an action in the name of the state against the person to restrain by temporary or permanent injunction or temporary restraining order the use of the unlawful method, act, or practice upon giving appropriate notice to that person pursuant to 30-14-111(2).
(2) The provisions of 30-14-111(3) and (4) and 30-14-112 through 30-14-115 apply to this part.
(3) A violation of this part is a violation of 30-14-103, and the penalties for a violation of this part are as provided in 30-14-142.
History: En. Sec. 8, Ch. 518, L. 2005.
30-14-1706 through 30-14-1711 reserved.
30-14-1712. Fraudulent electronic misrepresentation -- penalties -- exemption. (1) An individual or business that, by means of a website, an electronic mail message, or otherwise through the internet, solicits, requests, or takes an action to induce another individual or business to provide personal information by purporting to be a third-party individual or a business without the authority or approval of the third-party individual or business is guilty of a theft of identity, as provided in 45-6-332(1). This crime of fraudulent electronic misrepresentation is commonly known as "phishing".
(2) An individual or a business that is adversely affected by a violation of subsection (1) has a private right of action, as provided in 30-14-1713.
(3) The attorney general or a county attorney in a county where the violation under subsection (1) is reported may bring a criminal action against an individual or a business accused of engaging in a pattern and practice of violating subsection (1) and, in addition to bringing a criminal action, may request a court of competent jurisdiction to issue a temporary injunction against the continued use of a website, an electronic mail message, or the internet by the individual or business served with the injunction.
(4) An internet services provider may not be held liable for identifying, removing, or disabling access to an internet website or other online location if the internet services provider believes that the internet website or other online location is being used to engage in a violation of this section.
History: En. Sec. 1, Ch. 276, L. 2007.
30-14-1713. Remedies for fraudulent electronic misrepresentation. (1) A business, including the owner of a website or the owner of a trademark, that is adversely affected by a violation of 30-14-1712(1) may bring an action to recover the greater of actual damages or $500,000.
(2) An individual who is adversely affected by a violation of 30-14-1712(1) may bring an action against an individual or a business that has directly violated 30-14-1712(1) for the greater of three times actual damages or $5,000 for each violation.
History: En. Sec. 2, Ch. 276, L. 2007.
30-14-1714 through 30-14-1720 reserved.
30-14-1721. Identity theft impediments -- credit cards -- definition. (1) A credit card issuer that mails an offer or solicitation to receive a credit card and, in response, receives a completed application for a credit card that lists an address that is different from the address on the offer or solicitation shall verify the change of address by contacting the person to whom the solicitation or offer was mailed, as provided in 30-14-1722.
(2) Notwithstanding any other provision of law, a person to whom an offer or solicitation to receive a credit card is made is not liable for the unauthorized use of a credit card issued in response to that offer or solicitation if the credit card issuer does not verify the change of address pursuant to subsection (1) prior to the issuance of the credit card unless the credit card issuer proves that this person actually incurred the charge on the credit card.
(3) When a credit card issuer receives a written or oral request for a change of the cardholder's billing address and then receives a written or oral request for an additional credit card within 10 days after the requested address change, the credit card issuer may not mail the requested additional credit card to the new address or, alternatively, activate the requested additional credit card unless the credit card issuer has verified the change of address.
(4) (a) Except as provided in subsections (4)(b) through (4)(d), a person, firm, partnership, association, corporation, or limited liability company that accepts credit cards for the transaction of business may not print more than the last five digits of the credit card account number or the expiration date upon any receipt provided to the cardholder.
(b) Subsection (4)(a) applies only to receipts that are electronically printed and does not apply to transactions in which the sole means of recording the person's credit card number is by handwriting or by an imprint or copy of the credit card.
(c) Subsection (4)(a) applies beginning January 1, 2008, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is in use before January 1, 2005.
(d) Subsection (4)(a) applies beginning January 1, 2006, with respect to any cash register or other machine or device that electronically prints receipts for credit card transactions that is first put into use on or after January 1, 2005.
(5) (a) As used in this section, "credit card" means any card, plate, coupon book, or other single credit device existing for the purpose of being used from time to time upon presentation to obtain money, property, labor, or services on credit.
(b) "Credit card" does not mean any of the following:
(i) any single credit device used to obtain telephone property, labor, or services in any transaction with an entity under regulation as a public utility;
(ii) any device that may be used to obtain credit pursuant to an electronic funds transfer, but only if the credit is obtained under an agreement between a consumer and a financial institution to extend credit when the consumer's asset account is overdrawn or to maintain a specified minimum balance in the consumer's asset account;
(iii) any key or card key used at an automated dispensing outlet to obtain or purchase petroleum products that will be used primarily for business rather than personal or family purposes.
History: En. Sec. 2, Ch. 518, L. 2005.
30-14-1722. Identity theft impediments -- credit card renewal -- telephone accounts. (1) A credit card issuer that receives a change of address request, other than for a correction of a typographical error, from a cardholder who orders a replacement credit card within 60 days before or after that request is received shall send to that cardholder a change of address notification that is addressed to the cardholder at the cardholder's previous address of record. If the replacement credit card is requested prior to the effective date of the change of address, the notification must be sent within 30 days of the change of address request. If the replacement credit card is requested after the effective date of the change of address, the notification must be sent within 30 days of the request for the replacement credit card.
(2) Any business entity that provides telephone accounts that receives a change of address request, other than for a correction of a typographical error, from an account holder who orders new service shall send to that account holder a change of address notification that is addressed to the account holder at the account holder's previous address of record. The notification must be sent within 30 days of the request for new service.
(3) The notice required pursuant to subsection (1) or (2) may be given by telephone or electronic mail communication if the credit card issuer or business entity that provides telephone accounts reasonably believes that it has the current telephone number or electronic mail address for the account holder or cardholder who has requested a change of address. If the notification is in writing, it may not contain the consumer's account number, social security number, or other personal identifying information but may contain the consumer's name, previous address, and new address of record. For business entities described in subsection (2), the notification may also contain the account holder's telephone number.
(4) A credit card issuer or a business entity that provides telephone accounts is not required to send a change of address notification when a change of address request is made in person by a consumer who has presented valid identification or is made by telephone and the requester has provided a unique alphanumeric password.
(5) As used in this section, the following definitions apply:
(a) "Credit card" has the meaning provided in 30-14-1721.
(b) "Telephone account" means an account with a telecommunications carrier, as defined in 69-3-803.
History: En. Sec. 3, Ch. 518, L. 2005.
30-14-1723 through 30-14-1725 reserved.
30-14-1726. Definitions. As used in 30-14-1726 through 30-14-1736, the following definitions apply:
(1) "Consumer" means an individual, a parent or guardian in the case of a minor or of an incapacitated person as defined in 72-5-101, or a conservator in the case of a protected person as defined in 72-5-101.
(2) "Consumer reporting agency" means any person that, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information on consumers for the purpose of furnishing credit reports to a third party and that uses any means or facility of interstate commerce for the purpose of preparing or furnishing credit reports.
(3) "Credit report" means any written, oral, or other communication of any information by a consumer reporting agency:
(a) bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; and
(b) that is used or expected to be used in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:
(i) credit to be used primarily for personal, family, or household purposes;
(ii) employment purposes; or
(iii) any other purpose authorized under 15 U.S.C. 1681(b).
(4) "Person" means an individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.
(5) "Proper identification" means information sufficient to verify identity.
(6) "Reviewing the account" or "account review" includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.
(7) (a) "Security freeze" means a notice that:
(i) is placed in a consumer's credit report at the request of the consumer;
(ii) is subject to exceptions and exemptions provided in 30-14-1734;
(iii) prohibits the consumer reporting agency from releasing all or any part of the consumer's credit report or credit score without the express authorization of the consumer, as provided in 30-14-1729.
(b) A security freeze does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.
History: En. Sec. 1, Ch. 138, L. 2007; amd. Sec. 1, Ch. 42, L. 2011.
30-14-1727. Placement of security freeze. (1) A consumer may elect to place a security freeze on the consumer's own credit report by making a request:
(a) in writing by regular or certified mail to a consumer reporting agency at an address designated by the consumer reporting agency to receive the request; or
(b) directly to the consumer reporting agency through a secure electronic connection specified by the consumer reporting agency.
(2) A consumer, acting in the capacity of a parent or guardian in the case of a minor or of an incapacitated person as defined in 72-5-101 or a conservator in the case of a protected person as defined in 72-5-101, may request that a consumer reporting agency place a freeze on the credit report of the minor or incapacitated or protected person by making a request in writing to the consumer reporting agency at an address designated by the consumer reporting agency to receive the request.
History: En. Sec. 2, Ch. 138, L. 2007; amd. Sec. 2, Ch. 42, L. 2011.
30-14-1728. Consumer reporting agency requirements. (1) Except as provided in subsection (2), a consumer reporting agency shall place a security freeze on a consumer's credit report no later than 5 business days after receiving from the consumer:
(a) a written or electronic request, as provided in 30-14-1727;
(b) proper identification; and
(c) a fee, if applicable.
(2) If a consumer who has been the victim of identity theft, as prescribed by 45-6-332, requests a security freeze, the consumer reporting agency shall place a security freeze on the consumer's credit report no later than 24 hours after receiving notice as provided in 30-14-1727 and a valid police report, investigative report, or complaint that the consumer has filed with a law enforcement agency.
(3) The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within 5 business days of placing the security freeze and at the same time shall provide the consumer with a unique personal identification number, password, or similar device to be used by the consumer when providing authorization for a release of the consumer's credit for a specific party or period of time, as provided in 30-14-1729.
(4) A consumer reporting agency may not suggest or otherwise state or imply to a third party that the consumer's security freeze reflects a negative credit score, history, report, or rating.
History: En. Sec. 3, Ch. 138, L. 2007.
30-14-1729. (Temporary) Temporary lifting of security freeze -- consumer requirements -- consumer reporting agency duties -- notification. (1) A consumer who wishes to allow access to the consumer's own credit report by a specific party or for a specific period of time while a security freeze is in place shall contact each consumer reporting agency, using a point of contact designated by the consumer reporting agency by regular or certified mail, telephone, or a secure electronic connection, request that the security freeze be temporarily lifted, and provide all of the following:
(a) proper identification;
(b) the unique personal identification number, password, or device provided by the consumer reporting agency pursuant to 30-14-1728(3);
(c) the proper information regarding the third party who is to receive the credit report or the time period for which the credit report is to be available to users of the credit report; and
(d) a fee, if applicable.
(2) (a) Except as provided in subsection (2)(b), a consumer reporting agency that receives a request from a consumer to temporarily lift a security freeze on a credit report as provided in subsection (1) shall comply with the request no later than 3 business days after receiving the request.
(b) By no later than January 31, 2009, a consumer reporting agency shall honor a request for the temporary lifting of a security freeze made by telephone or through a secure electronic connection designated by the consumer reporting agency within 15 minutes of receiving the request unless one of the following circumstances applies:
(i) the consumer fails to meet the requirements of subsections (1)(a) through (1)(c); or
(ii) the consumer reporting agency's ability to remove the security freeze within 15 minutes is prevented by:
(A) a natural disaster or act of God, including fire, earthquake, or hurricane;
(B) unauthorized or illegal acts by a third party, including terrorism, sabotage, riot, vandalism, or a labor strike or similar labor dispute disrupting operations;
(C) operational interruption, including electrical failure, unanticipated delay in equipment or replacement part delivery, or computer hardware or software failures inhibiting response time;
(D) governmental action, including emergency orders or regulations or judicial or law enforcement action;
(E) receipt of a removal request outside of normal business hours; or
(F) maintenance of, updates to, or repair of the consumer reporting agency's systems, whether regularly scheduled or unexpected or unscheduled.
(c) For the purposes of this section, "normal business hours" means from 6 a.m. to 9:30 p.m., mountain standard time or mountain daylight time, 7 days a week, excluding holidays.
(3) A consumer reporting agency shall:
(a) designate the contact address and telephone number along with a telefax number or appropriate electronic access address when providing the unique personal identification number, password, or other device as provided in 30-14-1728(3); and
(b) develop procedures to implement this section by January 31, 2009, involving the use of telephone, telefax, or electronic connection, using a process for legally required notices provided for in the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. 7001.
(4) Only the attorney general may enforce the provisions of this section related to a failure to comply with the 15-minute requirement for the temporary lifting of a security freeze.
30-14-1729. (Effective on occurrence of contingency) Temporary lifting of security freeze -- consumer requirements -- consumer reporting agency duties -- notification. (1) A consumer who wishes to allow access to the consumer's own credit report by a specific party or for a specific period of time while a security freeze is in place shall contact each consumer reporting agency, using a point of contact designated by the consumer reporting agency by regular or certified mail, telephone, or a secure electronic connection, request that the security freeze be temporarily lifted, and provide all of the following:
(a) proper identification;
(b) the unique personal identification number, password, or device provided by the consumer reporting agency pursuant to 30-14-1728(3);
(c) the proper information regarding the third party who is to receive the credit report or the time period for which the credit report is to be available to users of the credit report; and
(d) a fee, if applicable.
(2) (a) Except as provided in subsection (2)(b), a consumer reporting agency that receives a request from a consumer to temporarily lift a security freeze on a credit report as provided in subsection (1) shall comply with the request no later than 3 business days after receiving the request.
(b) By no later than January 31, 2009, a consumer reporting agency shall honor a request for the temporary lifting of a security freeze made by telephone or through a secure electronic connection designated by the consumer reporting agency within 15 minutes of receiving the request unless one of the following circumstances applies:
(i) the consumer fails to meet the requirements of subsections (1)(a) through (1)(c); or
(ii) the consumer reporting agency's ability to remove the security freeze within 15 minutes is prevented by:
(A) a natural disaster or act of God, including fire, earthquake, or hurricane;
(B) unauthorized or illegal acts by a third party, including terrorism, sabotage, riot, vandalism, or a labor strike or similar labor dispute disrupting operations;
(C) operational interruption, including electrical failure, unanticipated delay in equipment or replacement part delivery, or computer hardware or software failures inhibiting response time;
(D) governmental action, including emergency orders or regulations or judicial or law enforcement action;
(E) receipt of a removal request outside of normal business hours; or
(F) maintenance of, updates to, or repair of the consumer reporting agency's systems, whether regularly scheduled or unexpected or unscheduled.
(c) For the purposes of this section, "normal business hours" means from 6 a.m. to 9:30 p.m., mountain daylight time, 7 days a week, excluding holidays.
(3) A consumer reporting agency shall:
(a) designate the contact address and telephone number along with a telefax number or appropriate electronic access address when providing the unique personal identification number, password, or other device as provided in 30-14-1728(3); and
(b) develop procedures to implement this section by January 31, 2009, involving the use of telephone, telefax, or electronic connection, using a process for legally required notices provided for in the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. 7001.
(4) Only the attorney general may enforce the provisions of this section related to a failure to comply with the 15-minute requirement for the temporary lifting of a security freeze.
History: En. Sec. 4, Ch. 138, L. 2007; amd. Sec. 2, Ch. 447, L. 2021.
30-14-1730. Consumer reporting agency security freeze removal procedures -- notification. (1) A consumer reporting agency shall remove or temporarily lift a security freeze placed on a credit report:
(a) upon the consumer's request pursuant to 30-14-1729 or 30-14-1732; or
(b) if the consumer reporting agency determines that the consumer made a material misrepresentation of fact when requesting the security freeze.
(2) When a consumer reporting agency removes a security freeze as provided in subsection (1)(b), the consumer reporting agency shall notify the consumer in writing at least 5 business days prior to removing the security freeze on the credit report.
History: En. Sec. 5, Ch. 138, L. 2007.
30-14-1731. Third-party contacts. If a third party not enumerated in 30-14-1734(1) requests for the purpose of an application access to a credit report on which a security freeze is in effect and the consumer has not provided a temporary lifting of a security freeze for that specific party or a period of time, the third party may treat the application as incomplete.
History: En. Sec. 6, Ch. 138, L. 2007.
30-14-1732. Security freeze removal procedure. (1) A security freeze must remain in place until the consumer requests that the security freeze be removed or temporarily lifted as provided in 30-14-1729.
(2) After receiving a request from the consumer to remove a security freeze, a consumer reporting agency shall remove the security freeze within 3 business days of receiving a removal request at the point of contact designated by the consumer reporting agency if the consumer provides the following:
(a) proper identification; and
(b) the unique personal identification number, password, or other device provided by the consumer reporting agency pursuant to 30-14-1728(3).
History: En. Sec. 7, Ch. 138, L. 2007.
30-14-1733. Notice of rights. A consumer reporting agency shall provide a notice of rights as stated below at any time that a consumer is required to receive a summary of rights required under 15 U.S.C. 1681(g) of the Fair Credit Reporting Act.
NOTICE OF RIGHTS: Montana Consumers Have the Right to Obtain a Security Freeze
You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a security freeze on your credit report pursuant to Montana law.
The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within 5 business days you will be provided a personal identification number, password, or other device to use if you choose to remove the security freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties, or period of time after the security freeze is in place. To provide that authorization, you shall contact the consumer reporting agency and provide all of the following:
(1) the unique personal identification number, password, or other device provided by the consumer reporting agency;
(2) the proper identification to verify your identity;
(3) the proper information regarding the third party or parties who are to receive the credit report or the period of time for which the credit report is to be available to users of the credit report; and
(4) a fee, if applicable.
A consumer reporting agency that receives a request from a consumer to temporarily lift a security freeze on a credit report shall comply no later than 3 business days after receiving the request or, after January 31, 2009, within 15 minutes of receiving a request by telephone or through a secure electronic connection.
A security freeze does not apply to circumstances in which you have an existing account relationship and a copy of your credit report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control, or similar activities.
You have a right to bring a civil action against someone who violates your rights under the credit reporting laws. The action may be brought against a consumer reporting agency or a user of your credit report.
History: En. Sec. 8, Ch. 138, L. 2007.
30-14-1734. Exceptions -- exemptions. (1) The provisions of 30-14-1726 through 30-14-1733 and 30-14-1735 do not apply to the following for the purposes of accessing or using a credit report:
(a) a person or the person's subsidiary, affiliate, agent, or assignee with which the consumer has, or prior to assignment had, an account, contract, or debtor-creditor relationship when using a credit report for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or debt;
(b) a subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted to a credit report under 30-14-1729 for purposes of facilitating the extension of credit or other permissible use;
(c) any person using a credit report and acting pursuant to a court order, warrant, or subpoena;
(d) any federal, state, or local agency that administers a program for establishing and enforcing child support obligations;
(e) any federal, state, or local agency or its agents or assigns acting to investigate fraud;
(f) any federal, state, or local agency or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities;
(g) a person for use of a credit report for the purpose of prescreening as described by the Fair Credit Reporting Act, 15 U.S.C. 1681, et seq.;
(h) a person or entity administering a credit file monitoring subscription or similar service to which the consumer has subscribed;
(i) a person or entity for the purpose of providing a consumer with a copy of the consumer's own credit report or score and upon the consumer's request;
(j) a person or entity regulated under Title 33; or
(k) a consumer reporting agency for its database or file that consists entirely of information concerning, and used solely for, one or more of the following:
(i) criminal record information;
(ii) tenant screening;
(iii) employment screening;
(iv) fraud prevention or detection; or
(v) personal loss history information.
(2) The following entities are exempt from placing a security freeze on a credit report:
(a) a check services company or fraud prevention services company that issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic fund transfers, or similar methods of payments;
(b) a deposit account information service company that issues reports regarding account closures because of fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution; or
(c) a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the database of another consumer reporting agency or multiple consumer reporting agencies and that does not maintain a permanent database of credit information from which new credit reports are produced. However, a consumer reporting agency acting as a reseller shall honor any security freeze placed on a credit report by another consumer reporting agency.
History: En. Sec. 9, Ch. 138, L. 2007.
30-14-1735. Fees. (1) Except as provided in subsection (2), a consumer reporting agency may charge an administrative fee, not to exceed $3, to a consumer for each security freeze or temporary lifting of a security freeze as provided in 30-14-1729, but not for removal of a security freeze as provided in 30-14-1732.
(2) A consumer reporting agency may not charge a fee under 30-14-1728 to a consumer who has been the victim of identity theft and who has submitted to the consumer reporting agency a valid police report, an investigative report, or a complaint that the consumer has filed with a law enforcement agency.
(3) A consumer may be charged a reasonable fee, not to exceed $5, if the consumer fails to retain the original personal identification number, password, or other device provided by the consumer reporting agency and if the consumer asks the consumer reporting agency to reissue the same or a new personal identification number, password, or other device.
History: En. Sec. 10, Ch. 138, L. 2007.
30-14-1736. Violations -- penalties. (1) A person who willfully fails to comply with any requirements imposed in 30-14-1727 through 30-14-1735 with respect to a consumer is liable to that consumer in an amount equal to the sum of:
(a) any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000; or
(b) punitive damages in an amount that the court may allow; and
(c) the costs of the action together with reasonable attorney fees as determined by the court in the case of a successful action to enforce liability under this section.
(2) A person who obtains a credit report or requests a security freeze, the temporary lifting of a security freeze, or the removal of a security freeze from a consumer reporting agency under false pretenses or in an attempt to violate federal or state law is liable to the consumer reporting agency for actual damages sustained by the consumer reporting agency or $1,000, whichever is greater.
(3) A person who negligently fails to comply with any requirement imposed in 30-14-1727 through 30-14-1735 with respect to any consumer is liable to that consumer in an amount equal to the sum of:
(a) any actual damages sustained by the consumer as a result of the failure; and
(b) the costs of the action together with reasonable attorney fees as determined by the court in the case of a successful action to enforce liability under this section.
(4) If a court finds that an unsuccessful pleading, motion, or other paper filed under this section was filed in bad faith or for purposes of harassment, the court shall award to the prevailing party reasonable attorney fees as determined by the court.
History: En. Sec. 11, Ch. 138, L. 2007.
Impediment of Identity Theft (Montana Code Sec. 30-14-1701 through 30-14-1705 and Sec. 33-19-321, added by Laws of 2005, Chapter 518, approved April 28, 2005, effective March 1, 2006, amended by Laws of 2007, Chapter 180, approved April 10, 2007, effective October 1, 2007.)
For more information, see here: https://www.leg.mt.gov/bills/mca/title_0300/chapter_0140/part_0170/sections_index.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.