33-19-321. Computer security breach. (1) Any licensee or insurance-support organization that conducts business in Montana and that owns or licenses computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery or notice of the breach of the security of the system to any individual whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The notice must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3), or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
(2) Any person to whom personal information is disclosed in order for the person to perform an insurance function pursuant to this part that maintains computerized data that includes personal information shall notify the licensee or insurance-support organization of any breach of the security of the system in which the data is maintained immediately following discovery of the breach of the security of the system if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
(3) The notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and requests a delay of notice. The notice required by this section must be made after the law enforcement agency determines that the notice will not compromise the investigation.
(4) Licensees, insurance-support organizations, and persons to whom personal information is disclosed pursuant to this part shall develop and maintain an information security policy for the safeguarding of personal information and security breach notice procedures that provide expedient notice to individuals as provided in subsection (1).
(5) Any licensee or insurance-support organization that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the commissioner, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.
(6) For purposes of this section, the following definitions apply:
(a) "Breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a licensee, insurance-support organization, or person to whom information is disclosed pursuant to this part. Acquisition of personal information by a licensee, insurance-support organization, or employee or agent of a person as authorized pursuant to this part is not a breach of the security of the system.
(b) (i) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted:
(A) social security number;
(B) driver's license number, state identification card number, or tribal identification card number;
(C) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
(D) medical record information;
(E) a taxpayer identification number; or
(F) an identity protection personal identification number issued by the United States internal revenue service.
(ii) Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
History: En. Sec. 9, Ch. 518, L. 2005; amd. Sec. 4, Ch. 180, L. 2007; amd. Sec. 4, Ch. 62, L. 2015.