Montana Amends Data Breach Statute | Practical Law

Montana Amends Data Breach Statute | Practical Law

The Governor of Montana has signed a bill amending the state's data breach statutes. The bill expands the definition of personal information and requires entities suffering a breach to notify the state's consumer protection office or the insurance commissioner.

Montana Amends Data Breach Statute

Practical Law Legal Update 5-604-4806 (Approx. 3 pages)

Montana Amends Data Breach Statute

by Practical Law Intellectual Property & Technology
Published on 12 Mar 2015Montana
The Governor of Montana has signed a bill amending the state's data breach statutes. The bill expands the definition of personal information and requires entities suffering a breach to notify the state's consumer protection office or the insurance commissioner.
On February 27, 2015, Montana Governor Steve Bullock signed HB 74 into law, which amends the state's data breach notification statutes, Mont. Code. Ann. § 30-14-1704; (general business statute); Mont. Code Ann. §§ 2-6-501 and 2-6-504 (state agencies), Mont. Code Ann. § 33-19-321 (insurance businesses), to:
  • Expand the definition of personally identifiable information (PII).
  • Include a requirement to notify the attorney general's office or the insurance commissioner when a breach occurs.

Definition of PII

The current versions of the statutes define personal information to include an individual's first name or initial with last name in combination with one or more of the following data elements, if either the name or the data elements are not encrypted:
  • Social Security number.
  • Driver's license, state ID card or tribal ID card number.
  • Account, credit or debit card number in combination with any required security code, access code or password that would permit access to the account.
HB 74 amends the definition of PII to add the following elements:
  • Medical record information as defined in § 33-19-104.
  • A taxpayer identification number.
  • An identity protection personal identification number issued by the US IRS.

Government Agency Reporting

The current versions of the statutes do not require a covered entity to report a breach to a government agency. HB 74 amends the statutes to require a covered entity to provide the following information to the attorney general's office of consumer protection, or, in the case of insurance entities, the insurance commissioner:
  • An electronic copy of the notification letter sent to individuals.
  • The number of individuals affected by the breach, if the notice was sent to more than one person.
  • A statement providing the date and method of distribution of the notification.
HB 74 will be effective October 1, 2015.