The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information.
Consumer Notification: A covered entity shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.
Regulatory Notification: A covered entity that is required to issue a notification pursuant to the Montana data breach notification statute shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general's consumer protection office, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.
Notification Timeline: Notification must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Data Format: Computerized Data.
Citations: Mont. Code Ann. §30-14-1704.
- Breach: The unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the covered entity and causes or is reasonably believed to cause loss or injury to a Montana resident.
- Personal Information (PI): An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- Social security number;
- Driver's license number, state identification card number, or tribal identification card number;
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- Medical record information as defined in 33-19-104;
- A taxpayer identification number; or
- An identity protection personal identification number issued by the United States internal revenue service.
- Medical Information:
- Relates to an individual's physical or mental condition, medical history, medical claims history, or medical treatment; and
- Is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian.
- Health Insurance Information: N/A
- Encryption: Statute does not apply to data that is encrypted.
- Good Faith: Good faith acquisition of personal information by an employee or agent of the covered entity for the purposes of the covered entity is not a breach of the security of the data system, provided that the personal information is not used or subject to further unauthorized disclosure.
- Risk of Harm: It is not considered a breach if it does not cause or is not reasonably believed that it will cause loss or injury to a Montana resident.
- Law Enforcement Delay: The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay in notification. The notification required by this section must be made after the law enforcement agency determines that it will not compromise the investigation.
- Timing: Notification of a data breach must be made without unreasonable delay, consistent with the legitimate needs of law enforcement or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Format: N/A
- Content: N/A
- Method: Notice may be provided by one of the following methods:
- Written notice;
- Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001;
- Telephonic notice; or
- Substitute notice, if the covered entity demonstrates that:
- The cost of providing notice would exceed $250,000;
- The affected class of subject persons to be notified exceeds 500,000; or
- The covered entity does not have sufficient contact information.
Substitute notice must consist of the following:
- An electronic mail notice when the covered entity has an electronic mail address for the subject persons; and
- Conspicuous posting of the notice on the website page of the covered entity if the covered entity maintains one; or
- Notification to applicable local or statewide media.
A covered entity that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the Montana attorney general's consumer protection office, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.
Credit Reporting Agencies Notice:
If a covered entity discloses a security breach to any individual pursuant to this section and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the covered entity shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual. The coordination may not unreasonably delay the notice to the affected individuals.
Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data system immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
Insurance Information Statute: Mont. Code Ann. § 33-19-321.
Comprehensive Data Privacy Law
Montana Consumer Data Privacy Act
S.B. 384 (2023)
Persons that conduct business in Montana or produce products or services that are targeted to Montana residents and that control or process the Personal Data of:
- 50,000 or more consumers, excluding Personal Data controlled or processed solely for the purpose of completing a payment transaction; or
- 25,000 or more consumers and derives more than 25% of gross revenue from the sale of Personal Data.
Among other exclusions, the Montana Consumer Data Privacy Act (“MCDPA”) excludes state and local government and judicial entities; institutions of higher learning; nonprofit organizations; employment-related data; and entities or data regulated by HIPAA, GLBA, FCRA, FERPA, and COPPA.
- Provide a secure and reliable process for the consumer to exercise their rights and describe this process in the controller’s privacy notice.
- Provide a clear and conspicuous link on the controller’s website to a webpage that enables a consumer, or an agent for the consumer, to opt out of the targeted advertising or sale of the consumer’s Personal Data.
- By no later than January 1, 2025, allow a consumer to opt out of any processing of the consumer’s Personal Data for the purpose of targeted advertising, or any sale of such Personal Data through an opt-out preference signal sent with the consumer’s consent, to the controller by a platform, technology, or mechanism subject to certain specifications.
- Except as otherwise permitted, comply with consumer requests exercising their consumer rights authorized by the MCDPA.
- Respond to consumers without undue delay, but not later than 45 days after receiving a consumer’s request. The 45 days may be extended by an additional 45 days when reasonably necessary, considering the complexity and number of the consumer’s requests, provided that the controller informs the consumer of the extension within the initial 45-day period and provides the reason for the extension. Information provided to consumers in response to a request must be provided by a controller, free of charge except in limited circumstances, once for each consumer during a 12-month period.
- Where a controller declines to act regarding a consumer’s request, notify the consumer without undue delay, but not later than 45 days after receiving the request, of the justification for declining to act and providing instructions for how to appeal the decision.
- Comply with opt-out requests received from an authorized agent of the consumer if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf.
- Limit data collection and retention of data that is adequate, relevant, and reasonably necessary in relation to the purposes for which Personal Data is processed.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of Personal Data appropriate to the volume and nature of the Personal Data at issue
- Provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, on revocation of the consent, cease to process the Personal Data as soon as practicable, but not later than 45 days after the receipt of the request.
- Obtain the consumer’s consent prior to processing Personal Data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the Personal Data is processed as disclosed to the consumer.
- Obtain prior consent from parent or lawful guardian to process Personal Data concerning a known child.
- Do not process Personal Data in violation of state and federal laws that prohibit unlawful discrimination against Consumers.
- Do not discriminate against a consumer for exercising their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.
- If a controller sells personal data to third parties or processes Personal Data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing.
- Provide consumers with a reasonably accessible, clear, and meaningful privacy notice that covers specific topics, such as the categories of Personal Data processed by the controller and the purpose for processing the Personal Data.
- A controller may not require a consumer to create a new account to exercise their consumer rights but may require that a consumer use an existing account.
- When in possession of deidentified data, take reasonable measures to ensure that the deidentified data cannot be associated with an individual; publicly commit to maintaining and using deidentified data without attempting to reidentify the deidentified data; and contractually obligate any recipients of the deidentified data to comply with the MCDPA.
- For processing activities created or generated after January 1, 2025, conduct and document a Data Protection Assessment (DPA) for each of the controller’s processing activities that present a heightened risk of harm to a consumer, such as for:
- Targeted advertising;
- Selling personal data;
- Profiling that presents reasonably foreseeable risk of: unfair or deceptive treatment of or unlawful disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion on consumers’ solitude, seclusion, private affairs, or private concerns, if it would offend a reasonable person; or another substantial consumer injury; and
- Processing sensitive data.
- Adhere to the instructions of a controller and assist the controller in meeting the controller’s obligations under the MCDPA, including its obligations regarding consumer rights requests, security of data processing and breach notification, and providing necessary information to enable the controller to conduct and document data protection assessments.
- Enter into a binding contract with controller that governs the processor’s data processing procedures with respect to data processing performed on behalf of the controller and cover, among other things, the duration of the processing, the rights and obligations of both parties, and a requirement that each person processing personal data is subject to a duty of confidentiality with respect to the Personal Data.
Businesses must respond without undue delay and within 45 days to verified consumer requests regarding the processing of PI and SPI, including consumers’:
- Right to deletion of Personal Data;
- Right to confirm the processing of and access Personal Data;
- Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable;
- Right to correct inaccurate Personal Data;
- Right to opt out of Personal Data sales, targeted advertising, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer; i.e., decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to necessities such as food and water.
Additionally, a Controller shall establish a process for the consumer to appeal to the Controller’s refusal to take action on a request. The appeal process must be made conspicuously available and similar to the process for submitting requests to initiate action. The Controller is required to take action within sixty (60) days of receipt of an appeal, inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions, as well as provide a mechanism for consumers to contact the Attorney General if the appeal is denied.
- Consumer: An individual who is a Montana resident acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
- Controller: A person who or legal entity that, alone or jointly with others, determines the purposes and means for processing Personal Data.
- Deidentified Data: Data that cannot be used to reasonably infer information about or otherwise be linked to an identified or identifiable individual or a device linked to the individual.
- Personal Data: Information linked to or reasonably linkable to an identified or identifiable individual. Personal Data excludes: de-identified data and publicly available data (defined as information lawfully made available from federal, state, or municipal government records or widely distributed media, or information that a Controller has a reasonable basis to believe the consumer has lawfully made available to the public).
- Profiling: Any form of automated processing performed on Personal Data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of Personal Data: The exchange of Personal Data for monetary or other valuable consideration by the Controller to a third party. The term excludes the following disclosures from this definition: (i) the disclosure of Personal Data to a processor that processes the personal data on behalf of the Controller; (ii) the disclosure of Personal Data to a third party for the purposes of providing a product or service requested by the consumer; (iii) the disclosure or transfer of Personal Data to an affiliate of the Controller; (iv) the disclosure of Personal Data in which the consumer directs the Controller to disclose the personal data or intentionally uses the controller to interact with a third party; (v) the disclosure of personal data that the consumer: (A) intentionally made available to the public via a channel of mass media; and (B) did not restrict to a specific audience; or (vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
- Sensitive Data: Personal Data revealing: racial or ethnic origin; religious beliefs; a mental or physical health condition or diagnosis; information about a person’s sex life, sexual orientation, or citizenship/citizenship status. Sensitive data also includes the processing of genetic or biometric data for the purpose of uniquely identifying an individual; Personal Data collected from a known child; or precise geolocation data.
Violations of the MCDPA may be enforced by the Montana Attorney General. The Montana Attorney General will, prior to bringing an action for violation of the MCDPA, issue a notice of violation to the controller who shall have a 60-day cure period to correct the noticed violation and provide the Montana Attorney General with an express written statement that the alleged violations have been corrected and that no such further violations will occur.
October 1, 2024