Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search

Montana

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: Yes

Mont. Code Ann. §§ 30-14-1701 to -1705

Scope of this Summary:

Notification requirements applicable tpersons or businesses, excluding insurance companies, that conduct business in Montana and that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject tdifferent requirements.

Risk of Harm Threshold

Notification not required if the covered entity reasonably believes that breach has not and will not reasonably cause loss or injury ta Montana resident.

Breach Defined

Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by an entity and causes or is reasonably believed tcause loss or injury ta Montana resident. Good-faith acquisition of personal information by an employee or agent of an entity for the purposes of the entity is not a breach of the security of the data system, provided that the personal information is not used or subject tfurther unauthorized disclosure.

Encryption Safe Harbor

Statute does not apply tinformation that is encrypted.

Form of Covered Info

Electronic Only

Covered Information

An individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security number.
  • Driver's license number, state identification card number, or tribal identification card number.
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access tan individual's financial account.
  • Medical record information as defined in § 33-19-10 (personal information that relates tan individual's physical or mental condition, medical history, medical claims history, or medical treatment and is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian).
  • A taxpayer identification number.
  • An identity protection personal identification number issued by the United States Internal Revenue Service.

Consumer Notice Timing

Must be made without unreasonable delay, consistent with any measures necessary tdetermine the scope of the breach and restore the reasonable integrity of the system.

Consumer Notice Method

By written notice, telephone notice, or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

The statute does not contain any content requirements.

Delayed Notice

Notification may be delayed if law enforcement determines notice may impede a criminal investigation.

Government Notice

If notice tresidents is required, must simultaneously submit electronic copy of notification tAttorney General along with a statement detailing the date and method of distributing the notice and number of residents notified.

Consumer Reporting Agency Notice

If notice tresidents suggests, indicates, or implies that they may obtain a copy of their consumer report from a CRA, entity must coordinate with the CRA as tthe timing, content, and distribution of the notice. Coordination may not unreasonably delay notice taffected residents.

Exceptions for Other Laws

None

Third-Party Notice

If you maintain covered infon behalf of another entity, you must notify it immediately following discovery of a breach.

Private Right of Action

*The Montana statute does not provide for a private right of action. Notably, the US District Court for the Northern District of Georgia found that the general breach notification statute is privately enforceable through the state's unfair trade practices statute (In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1340, n. 304 (N.D. Ga. 2019)).

Potential Penalties

Violations may result in civil or criminal penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023

DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO

SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.