Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Montana residents.
Definition includes medical record information, taxpayer identification number, or an identity protection personal identification number issued by the United States internal revenue service.
“Security Breach” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a person.
“Medical Record Information" means personal information that: (a) relates to an individual's physical or mental condition, medical history, medical claims history, or medical treatment; and (b) is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent or legal guardian.
“Redaction” means the alteration of personal information contained within data to make all or a significant part of the data unreadable. The term includes truncation, which means that no more than the last four digits of an identification number are accessible as part of the data.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person or business that conducts business in Montana and owns or licenses computerized data that includes personal information.
(Insurance-support organizations are also covered by Mont. Code §33-19-321.)
Third party recipients:
Any person or business that maintains computerized data containing personal information of Montana residents that the person or business does not own must notify the owner or licensee of the information of any security breach immediately following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written, electronic, or telephonic notice must be provided to victims of a security breach without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notice not required if covered entity determines that security breach has not materially compromised the security, confidentiality, or integrity of personal information and has not caused or is not reasonably likely to cause loss or injury to a person.
If the notice provided suggests or implies that a consumer can obtain a copy of their file from a credit reporting agency, the business must coordinate with the credit reporting agency regarding the timing, content, and distribution of notice to the Montana consumer so long as the coordination does not unreasonable delay the notice to the affected individuals.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of that covered entity so long as personal information is not used or subject to further unauthorized disclosure.
Covered entity deemed in compliance with the Montana statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Montana statute.
Notification to Regulator / Waiver
Consumer Protection Office of attorney general must be notified at the same time as notice is provided to affected individuals.
Notice will consist of an electronic copy of the notification to individuals and a statement providing the date and distribution method of the required notification.
If notice will be provided to more than one individual, a single copy of the notification must be submitted indicating the number of individuals in the state who received notification.
A determination of no likelihood of harm:
Does not require notification to attorney general.
Penalties for a violation of the statute are provided in Mont. Code §30-14-142.
Temporary and permanent injunctions available.
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute