Montana Adopts Security Breach Notification Law
Last April, Montana joined a number of states that have passed data security legislation to protect consumers in the event of breaches in the security of databases containing personal information. Other states in the region, including Washington and North Dakota, have passed similar legislation. These laws generally require businesses that maintain computerized databases of personal information to notify affected individuals upon discovering that there has been a security breach resulting in the unauthorized acquisition of computerized data, if the breach materially compromises the security, confidentiality or integrity of the personal information.
The Montana law defines a “business” as a sole proprietorship, partnership, corporation, association or other group, however organized and whether for profit or not, including financial institutions and entities that destroy records. A “customer” is defined as an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business. “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following: social security number; driver’s license number or state identification card number; and account number or credit or debit card number, together with any required security code, access code or password that would permit access to an individual’s financial account. If the personal information is entirely encrypted, then the security breach notification provisions do not apply.
The law imposes on all businesses an affirmative obligation to take reasonable steps to destroy a customer’s records containing personal information when the business no longer has a reason for maintaining that information. The records may be destroyed by shredding, erasing or otherwise modifying the personal information to make it unreadable or undecipherable.
The law further imposes on all Montana businesses that own or license computerized data that includes personal information to disclose to all affected residents of Montana any breach in the security of the database promptly following discovery or notification of the breach. Notification may be delayed only if necessary to determine the scope of the breach, to restore the integrity of the database, or to cooperate with law enforcement. Notice may be provided in writing, electronically, or by telephone. Alternate notice provisions are provided for situations where it is not possible to reach the affected individuals by delivery, mail, email or telephone.
The Montana Department of Commerce has the authority to bring an action for injunctive relief in the name of the state against a business that is not in compliance with the new law, which goes into effect March 1, 2006. To prepare for the effective date, all businesses handling personal information should develop their own written policies for notification in the event of a security breach. The law states that if a business has such procedures in place before the security breach, and if notice is not unreasonably delayed, then the business will be deemed to have complied with the law if it follows its own procedures.