Last April, Montana added a public sector breach notification requirement to its existing private sector breach notification law. Mont. Code Ann. § 30-14-1704. The new law, enacted as H.B. 155, went into effect on October 1, 2009. It applies to “state agencies,” and creates a breach notification requirement for agencies maintaining data containing personal information. For a copy of H.B. 155, click here.
Montana state agencies must notify any person (whether or not a Montana resident) whose unencrypted personal information is acquired by an unauthorized person following a breach. Id. § 2-6-504(1)(a). Notification does not depend on a finding of likely harm. If a third party makes the required notifications, the agency does not need to notify the affected persons of the breach.
Like California’s SB 1386, “personal information” means a name in combination with a driver’s license number, Social Security number or account number together with an access code. Id. § 2-6-501(4). An agency may delay notification if a law enforcement agency determines that notification would impede a criminal investigation and requests a notification delay. Id. § 2-6-504(3).
More generally, state agencies obtaining personal information must develop and maintain an information security policy to safeguard the personal information they manage, as well as breach notification procedures to provide the required notice. Id. § 2-6-504(4).
H.B. 155 also includes requirements for state agencies to protect individuals’ social security numbers. Agencies must develop procedures to eliminate the unnecessary use of Social Security numbers, restrict access to SSNs, redact and dispose of documents containing SSNs, eliminate unnecessary storage of SSNs, and protect data containing SSNs on portable devices. Id. § 2-6-502. Existing state agencies must comply with this law by September 1, 2012.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP
www.ckwlaw.com