Montana Broadens Data Breach Notification Law

Written by

Montana has amended the state’s data breach notification law to both broaden the definition of “personal information” that triggers individual notice and to require notice to the state’s attorney general. The changes become effective on October 1, 2015.

Montana has joined several other states, including California and Florida, that include medical-related information in the definition of personal information. Montana’s statute specifies that the medical information that would trigger individual notice, in combination with an individual’s full name or first initial and last name, “(a) relates to an individual’s physical or mental condition, medical history, medical claims history, or medical treatment; and (b) is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.” The revised statute also includes the individual’s full name or first initial and last name in combination with a taxpayer identification number or identity protection PIN issued by the Internal Revenue Service.

In contrast to recent updates made in California and Florida, however, Montana does not include an email address or username in combination with password to an online account in its definition of personal information.

In addition, the amended law adds notification to Montana’s attorney general once individual notice is triggered. Notice to the attorney general is required “simultaneously” with individual notices, and must include the number of individuals in the state who received notification.