Montana statutes governing data breaches require businesses to notify affected Montana residents if the resident’s personal information is compromised. The notice must be made without reasonable delay, consistent with the legitimate needs of law enforcement.

Any business that is required to issue any such a notice is also required to simultaneously submit an electronic copy of the notice to the Office of Consumer Protection (OCP) at [email protected].

  • The copy of the notice should exclude any information that personally identifies the consumer.
  • If the same notice is made to more than one consumer, the business is required to submit a single copy of the notice to the OCP. However, the business should indicate the number of Montana residents who were notified.
  • The business should also advise the OCP of the date the notice was made and the notice’s method of distribution (e.g., U.S. Mail, e-mail, telephone, etc.).

Frequently Asked Questions

Montana Code Annotated section 30-14-1704 sets forth a business’s obligations if a Montana resident’s personal information is compromised. A business should review MCA § 30-14-1704 to understand the requirements of Montana law. The following is a summary of frequently asked questions about Montana law.

Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the business, and causes – or is reasonably believed to cause – loss or injury to a Montana resident.

A first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data elements are not encrypted:

  • a social security number;
  • a driver’s license number, state identification card number, or tribal identification number;
  • an account number, or credit or debit card number, in combination with any required security code, access code, or password;
  • medical record information as defined in 33-19-104;
  • taxpayer identification number; or
  • an identity protection personal identification number issued by the U.S. Internal Revenue Service.

One or more.

Via written notice, electronic notice (if consistent with 15 U.S.C. 7001), telephonic notice, or substitute notice.

At a minimum, the business should notify a Montana resident if the resident’s personal information was acquired, or is reasonably believed to have been acquired, by an unauthorized person. The notice should include the date or dates of the breach or probable breach. The notice should identify those elements of personal information that were likely acquired.

To the Attorney General’s Office of Consumer Protection via e-mail to [email protected].

Your Content Goes Here No, you should not send a copy of the notice to Attorney General. However, you should review MCA § 33-19-321. You may be required to notify the Commissioner of Insurance.

 Yes, state agencies are obliged to issue similar data breach notices.  State agencies are defined as an agency, authority, board, bureau, college, commission, committee, council, department, hospital, institution, office, university, or other instrumentality of the legislative or executive branch of state government.  State agencies should review MCA § 2-6-1501 to MCA § 2-6-1503.

Other Information

The Consumer Federation of America has provided additional information that may be of assistance to you.  Check out their 7 questions to ask fact sheet.

OCP