Data Breaches – For Businesses

DATA BREACHES – Reporting Requirements for Businesses

Montana statutes governing data breaches require businesses to notify affected Montana residents if the resident’s personal information is compromised. The notice must be made without reasonable delay, consistent with the legitimate needs of law enforcement.

Any business that is required to issue any such a notice is also required to simultaneously submit an electronic copy of the notice to the Office of Consumer Protection (OCP) at [email protected].

The copy of the notice should exclude any information that personally identifies the consumer.
If the same notice is made to more than one consumer, the business is required to submit a single copy of the notice to the OCP. However, the business should indicate the number of Montana residents who were notified.
The business should also advise the OCP of the date the notice was made and the notice’s method of distribution (e.g., U.S. Mail, e-mail, telephone, etc.).

Frequently Asked Questions

Montana Code Annotated section 30-14-1704 sets forth a business’s obligations if a Montana resident’s personal information is compromised. A business should review MCA § 30-14-1704 to understand the requirements of Montana law. The following is a summary of frequently asked questions about Montana law.

Q. What constitutes a breach of the security of a data system?

A. Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the business, and causes – or is reasonably believed to cause – loss or injury to a Montana resident.

Q. What constitutes personal information?

A. A first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data elements are not encrypted:
            (i)         a social security number;
            (ii)        a driver’s license number, state identification card number, or tribal identification number;
            (iii)       an account number, or credit or debit card number, in combination with any required security code, access code, or password;
            (iv)       medical record information as defined in 33-19-104;
            (v)        taxpayer identification number; or
           (vi)       an identity protection personal identification number issued by the U.S. Internal Revenue Service.

Q. How many Montanans need to be affected in order to trigger the requirement of notice?

A. One or more.

Q. How does a business provide notice to the affected consumer?

A. Via written notice, electronic notice (if consistent with 15 U.S.C. 7001), telephonic notice, or substitute notice.

Q. What information does the notification require?

A. At a minimum, the business should notify a Montana resident if the resident’s personal information was acquired, or is reasonably believed to have been acquired, by an unauthorized person. The notice should include the date or dates of the breach or probable breach. The notice should identify those elements of personal information that were likely acquired.

Q. Where does my business send the electronic copy of the notification,the statement providing the date and method of distribution of the notification, and the number of Montanans affected?

A. To the Attorney General’s Office of Consumer Protection via e-mail to [email protected].

Q. I am engaged in the insurance business. Am I required to provide a copy of a notice to the Attorney General if personal information is believed to have been acquired by an unauthorized person?

A. No, you should not send a copy of the notice to Attorney General. However, you should review MCA § 33-19-321. You may be required to notify the Commissioner of Insurance.

Q. I am not engaged in a business. However, I am employed by a state agency. Does a state agency have any notice requirements if personal information is believed to have been acquired by an unauthorized person?

A. Yes, state agencies are obliged to issue similar data breach notices. State agencies are defined as an agency, authority, board, bureau, college, commission, committee, council, department, hospital, institution, office, university, or other instrumentality of the legislative or executive branch of state government. State agencies should review MCA § 2-6-1501 to MCA § 2-6-1503.

Other Information

The Consumer Federation of America has provided additional information that may be of assistance to you. Check out their 7 questions to ask fact sheet.

Crime & Law

Attorney General’s Office

Special Services Bureau

Forensic Science Division

Missing Persons

Victim Services

Healthcare Violence Reporting

Law Enforcement

Background Checks

Criminal Records

Division of Criminal Investigation

Montana Highway Patrol

Montana Law Enforcement Academy

Public Safety Officer Standards

Regulation

Motor Vehicle Division

Office of Consumer Protection

Gambling Control Division

Natural Resource Damage Program

Internal Services

Central Services Division

Justice IT Services

File A Complaint

Data Breaches

If You Have Been Affected by a Data Breach

Reported Data Breach Incidents

Other Information

Consumer Alerts and Scam Alerts

Common Scams

Tow Truck Company Complaints

Unauthorized Practice of Law

Credit Reports

Obtain Your Credit Report

How to Dispute Errors on Your Credit Report

Common Issues

Choosing a Contractor

Debt Relief -- What You Need to Know

Farmers and Ranchers

Gift Cards

Identity Theft & Security Freeze

Common Issues

Internet Security

Military & Veteran Consumer Protection

Oil & Gas Leasing Tips

Other Helpful Agencies and Resources

Outreach

Purchasing a New Vehicle and the Lemon Law

Common Issues

Purchasing A Used Vehicle

RESOLVE - End Rx Drug Abuse

Service Contracts

Small Claims Court

Telemarketing Calls and Do Not Call Registry

Tenants and Landlords

Donations To Charities

Guide For Nonprofits

Nonprofit Complaint

Other Issues

Charity Care Policies in Montana

Hospital Reports 2008-2014

Data Breach Reporting Requirements

Debt Management/Debt Settlement Businesses

Telemarketing Business Information

Tobacco Directory & Tobacco Settlement

End of Life Registry/Advance Health Care Directives

Resources

Advance Health Care Directives

Health Care Provider Registration

Visit End of Life Registry

Data Breaches – For Businesses