Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

MONTANA DATA PRIVACY REGULATIONS

Did You Know?

 
  • Data owner responsibility for reporting and notifications
  • Within the notice, if the data owner suggests, indicates, or implies that individual may obtain a copy of their file from a consumer credit reporting agency (CRA), the data owner must coordinate with the CRA
  • Notification may be required to the state attorney general
  • Various industries have statutes specifically for them
  • Laws also cover data protection, data disposal, and record retention

Who Me?

 

Montana breach and notification laws may apply if you are a person or business that:

  • Conducts business in Montana and owns or maintains computerized data that includes PII
  • Maintains computerized PII that they do not own or license

There are usually exemptions.
Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply

What is PII?

 

PII relevant to a breach in Montana includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver license, state, tribal or tax payer identification number;
  • Account or credit/debit card card numbers; and security or access codes, passwords etc. that would permit access
  • Medical recrod information
  • An identity protection personal identification number issued by the United States Internal Revenue Service.

LAWS

APPLICABLE LAWS

A relevant statute includes, but is not limited to:

  • Title 30. Trade And Commerce
  • Chapter 14. Unfair Trade Practices And Consumer Protection
    • Part 17. Impediment Of Identity Theft 30-14-1701 to 30-14-1705

RELATED LAWS

A related statute includes, but is not limited to:

  • Title 30. Trade And Commerce
  • Chapter 14. Unfair Trade Practices And Consumer Protection
    • Part 17. Impediment Of Identity Theft 30-14-1702, 30-14-1703, and 30-14-1721

PENALTIES

COMPLIANCE PENALTIES

Violations may be investigated by the Montana Department of Justice with penalties including injunction, civil fine of $10,000 or less, and an additional $10,000 for willful violation, imprisonment up to a year, or both

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If any medical information matches the description in statute 33-19-104 Definitions
  • If the data was computerized
  • If the data was encrypted
  • If the data included any kind of access code, password, or cipher
  • If it was acquired by an unauthorized person

TIME LIMITS

The notification may be delayed if law enforcement indicates the notification will impede a criminal investigation, otherwise it must be made without unreasonable delay.
The state attorney general’s consumer protection office must be notified simultaneously with specific information.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Within the notice, if the data owner suggests, indicates, or implies that individual may obtain a copy of their file from a consumer credit reporting agency (CRA), the data owner must coordinate with CRA with specific information.

Disclosure may be made by written notice, telephone, or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $250,000 or the persons to be notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR