Montana Code § 30-14-1701 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
“Breach of the security of the data system” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal information is not used or subject to further unauthorized disclosure.
When is notice required?
Notice is required for all affected residents without unreasonable delay, subject to the needs of law enforcement, and the time it takes to restore integrity and confidentiality to the system. Notice may be given in written, electronic, telephonic, or substitute form, depending on circumstances. While substitute notices is clearly defined, the content of the other notices is not stipulated in the statute. However, if the notice includes information about contacting a credit reporting agency, then the business must coordinate with those agencies to notify them of the breach. Businesses are also required to notify the Attorney General and send a copy of the notice to the office.
What are the penalties for non-compliance?
Violations have their own section of the law, §30-14-1705(1), which reads as follows:
"Whenever the department has reason to believe that a person has violated this part and that proceeding would be in the public interest, the department may bring an action in the name of the state against the person to restrain by temporary or permanent injunction or temporary restraining order the use of the unlawful method, act, or practice upon giving appropriate notice to that person pursuant to 30-14-111(2)."