Quick Facts
Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable tpersons or businesses, excluding insurance companies, that conduct business in Montana and that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject tdifferent requirements.
Risk of Harm Threshold
Notification not required if the covered entity reasonably believes that breach has not and will not reasonably cause loss or injury ta Montana resident.
Breach Defined
Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by an entity and causes or is reasonably believed tcause loss or injury ta Montana resident. Good-faith acquisition of personal information by an employee or agent of an entity for the purposes of the entity is not a breach of the security of the data system, provided that the personal information is not used or subject tfurther unauthorized disclosure.
Encryption Safe Harbor
Statute does not apply tinformation that is encrypted.
Form of Covered Info
Electronic Only
Covered Information
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number, state identification card number, or tribal identification card number.
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access tan individual's financial account.
- Medical record information as defined in § 33-19-10 (personal information that relates tan individual's physical or mental condition, medical history, medical claims history, or medical treatment and is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian).
- A taxpayer identification number.
- An identity protection personal identification number issued by the United States Internal Revenue Service.
Consumer Notice Timing
Must be made without unreasonable delay, consistent with any measures necessary tdetermine the scope of the breach and restore the reasonable integrity of the system.
Consumer Notice Method
By written notice, telephone notice, or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The statute does not contain any content requirements.
Delayed Notice
Notification may be delayed if law enforcement determines notice may impede a criminal investigation.
Government Notice
If notice tresidents is required, must simultaneously submit electronic copy of notification tAttorney General along with a statement detailing the date and method of distributing the notice and number of residents notified.
Consumer Reporting Agency Notice
If notice tresidents suggests, indicates, or implies that they may obtain a copy of their consumer report from a CRA, entity must coordinate with the CRA as tthe timing, content, and distribution of the notice. Coordination may not unreasonably delay notice taffected residents.
Exceptions for Other Laws
None
Third-Party Notice
If you maintain covered infon behalf of another entity, you must notify it immediately following discovery of a breach.
Private Right of Action
*The Montana statute does not provide for a private right of action. Notably, the US District Court for the Northern District of Georgia found that the general breach notification statute is privately enforceable through the state's unfair trade practices statute (In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1340, n. 304 (N.D. Ga. 2019)).
Potential Penalties
Violations may result in civil or criminal penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023