Montana Code 2-6-1503. Notification of breach of security of data system
2-6-1503. Notification of breach of security of data system. (1) (a) Upon discovery or notification of a breach of the security of a data system, a state agency that maintains computerized data containing personal information in the data system shall make reasonable efforts to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
Terms Used In Montana Code 2-6-1503
- breach: means the unauthorized acquisition of computerized data that:
(a)materially compromises the security, confidentiality, or integrity of the personal information maintained by a state agency or by a third party on behalf of a state agency; and
(b)causes or is reasonably believed to cause loss or injury to a person. See Montana Code 2-6-1501
- Chief information security officer: means an employee at the department of administration designated by the chief information officer who is responsible for protecting the state's information assets and citizens' data by:
(a)advising and overseeing information security strategy and programs for executive branch state agencies without elected officials;
(b)advising and consulting information security strategy and programs for executive branch state agencies with elected officials and the legislative and judicial branches; and
(c)advising information security strategy and programs for city, county, consolidated city-county, and local governments and for school districts, other political subdivisions, or tribal governments. See Montana Code 2-6-1501
- Discovery: Lawyers' examination, before trial, of facts and documents in possession of the opponents to help the lawyers prepare for trial.
- Individual: means a human being. See Montana Code 2-6-1501
- Person: means an individual, a partnership, a corporation, an association, or a public organization of any character. See Montana Code 2-6-1501
- Personal information: means a first name or first initial and last name in combination with any one or more of the following data elements when the name and data elements are not encrypted:
(i)a social security number;
(ii)a driver's license number, an identification card number issued pursuant to 61-12-501, a tribal identification number or enrollment number, or a similar identification number issued by any state, the District of Columbia, the Commonwealth of Puerto Rico, Guam, the Virgin Islands, or American Samoa;
(iii)an account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to a person's financial account;
(iv)medical record information as defined in 33-19-104;
(v)a taxpayer identification number; or
(vi)an identity protection personal identification number issued by the United States internal revenue service. See Montana Code 2-6-1501
- State: when applied to the different parts of the United States, includes the District of Columbia and the territories. See Montana Code 1-1-201
- State agency: means an agency, authority, board, bureau, college, commission, committee, council, department, hospital, institution, office, university, or other instrumentality of the legislative or executive branch of state government. See Montana Code 2-6-1501
- Third party: means :
(a)a person with a contractual obligation to perform a function for a state agency; or
(b)a state agency with a contractual or other obligation to perform a function for another state agency. See Montana Code 2-6-1501
(b)The notification must be made without unreasonable delay, consistent with the legitimate needs of law enforcement as provided in subsection (3) or with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system.
(2)(a) A third party that receives personal information from a state agency and maintains that information in a computerized data system to perform a state agency function shall:
(i)notify the state agency immediately following discovery of the breach if the personal information is reasonably believed to have been acquired by an unauthorized person; and
(ii)make reasonable efforts upon discovery or notification of a breach to notify any person whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person as part of the breach. This notification must be provided in the same manner as the notification required in subsection (1).
(b)A state agency notified of a breach by a third party has no independent duty to provide notification of the breach if the third party has provided notification of the breach in the manner required by subsection (2)(a) but shall provide notification if the third party fails to do so in a reasonable time and may recover from the third party its reasonable costs for providing the notice.
(3)The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay of notification. The notification required by this section must be made after the law enforcement agency determines that the notification will not compromise the investigation.
(4)All state agencies and third parties to whom personal information is disclosed by a state agency shall develop and maintain:
(a)an information security policy designed to safeguard personal information; and
(b)breach notification procedures that provide reasonable notice to individuals as provided in subsections (1) and (2).
(5)A state agency or third party that is required to issue a notification to an individual pursuant to this section shall simultaneously submit to the state’s chief information security officer at the department of administration and to the attorney general’s consumer protection office an electronic copy of the notification and a statement providing the date and method of distribution of the notification. The electronic copy and statement of notification must exclude any information that identifies the person who is entitled to receive notification. If notification is made to more than one person, a single copy of the notification that includes the number of people who were notified must be submitted to the chief information officer and the consumer protection office.