Consumer Protection Data Breaches for Businesses

 

DATA BREACHES – Reporting Requirements for Businesses

Montana statutes governing data breaches require businesses to notify affected Montana residents if the resident’s personal information is compromised. The notice must be made without reasonable delay, consistent with the legitimate needs of law enforcement.

Any business that is required to issue any such a notice is also required to simultaneously submit an electronic copy of the notice to the Office of Consumer Protection (OCP) at [email protected].

  • The copy of the notice should exclude any information that personally identifies the consumer.
  • If the same notice is made to more than one consumer, the business is required to submit a single copy of the notice to the OCP. However, the business should indicate the number of Montana residents who were notified.
  • The business should also advise the OCP of the date the notice was made and the notice’s method of distribution (e.g., U.S. Mail, e-mail, telephone, etc.).

Frequently Asked Questions

Montana Code Annotated section 30-14-1704 sets forth a business’s obligations if a Montana resident’s personal information is compromised. A business should review MCA § 30-14-1704 to understand the requirements of Montana law. The following is a summary of frequently asked questions about Montana law.

Q.  What constitutes a breach of the security of a data system?

A.  Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the business, and causes – or is reasonably believed to cause – loss or injury to a Montana resident.

Q.  What constitutes personal information?

A.  A first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data elements are not encrypted:
            (i)         a social security number;
            (ii)        a driver’s license number, state identification card number, or tribal identification number;
            (iii)       an account number, or credit or debit card number, in combination with any required security code, access code, or password;
            (iv)       medical record information as defined in 33-19-104;
            (v)        taxpayer identification number; or
           (vi)       an identity protection personal identification number issued by the U.S. Internal Revenue Service.

Q.  How many Montanans need to be affected in order to trigger the requirement of notice?

A.  One or more.

Q.  How does a business provide notice to the affected consumer?

A.  Via written notice, electronic notice (if consistent with 15 U.S.C. 7001), telephonic notice, or substitute notice.

Q.  What information does the notification require?

A.  At a minimum, the business should notify a Montana resident if the resident’s personal information was acquired, or is reasonably believed to have been acquired, by an unauthorized person. The notice should include the date or dates of the breach or probable breach. The notice should identify those elements of personal information that were likely acquired.  

 Q.  Where does my business send the electronic copy of the notification,the statement providing the date and method of distribution of the notification, and the number of Montanans affected?

A.  To the Attorney General’s Office of Consumer Protection via e-mail to [email protected].

Q.  I am engaged in the insurance business. Am I required to provide a copy of a notice to the Attorney General if personal information is believed to have been acquired by an unauthorized person?

A.  No, you should not send a copy of the notice to Attorney General. However, you should review MCA § 33-19-321. You may be required to notify the Commissioner of Insurance.    

Q.  I am not engaged in a business. However, I am employed by a state agency. Does a state agency have any notice requirements if personal information is believed to have been acquired by an unauthorized person?

A.  Yes, state agencies are obliged to issue similar data breach notices.  State agencies are defined as an agency, authority, board, bureau, college, commission, committee, council, department, hospital, institution, office, university, or other instrumentality of the legislative or executive branch of state government.  State agencies should review MCA § 2-6-1501 to MCA § 2-6-1503.

Other Information

The Consumer Federation of America has provided additional information that may be of assistance to you.  Check out their 7 questions to ask fact sheet.