§30-14-1704 and §33-19-32. Computer Security Breach; Definitions.
Jump to navigation
Jump to search
§30-14-1704 and §33-19-32. Computer Security Breach; Definitions. | |
---|---|
Short Title | |
Official Text | §30-14-1704 and §33-19-32. Computer Security Breach; Definitions. |
Country/Jurisdiction | United States |
State or Province | Montana |
Regulatory Bodies | |
Date Enacted | |
Scope of the Law | General Business |
Information | |
Taxonomy | Identification, Insecurity, Interrogation |
Strategies |
Text of the law
- TITLE 30. TRADE AND COMMERCE
- CHAPTER 14. UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION
- Part 17. Impediment of Identity Theft
- Computer Security Breach
- 30-14-1704. Computer security breach. (1) Any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system following discovery or notification of the breach to any resident of Montana whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3), or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Insecurity
- (2) Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data system immediately following discovery if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
- (3) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation and requests a delay in notification. The notification required by this section must be made after the law enforcement agency determines that it will not compromise the investigation.
- (4) For purposes of this section, the following definitions apply:
- (a) "Breach of the security of the data system" means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal information is not used or subject to further unauthorized disclosure. Insecurity
- (b) (i) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- (A) social security number;
- (B) driver's license number, state identification card number, or tribal identification card number;
- (C) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- (D) medical record information as defined in 33-19-104;
- (E) a taxpayer identification number; or
- (F) an identity protection personal identification number issued by the United States internal revenue service. Identification
- (b) (i) "Personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
- (ii) Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- (5) (a) For purposes of this section, notice may be provided by one of the following methods:
- (i) written notice;
- (ii) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001;
- (iii) telephonic notice; or
- (iv) substitute notice, if the person or business demonstrates that:
- (A) the cost of providing notice would exceed $250,000;
- (B) the affected class of subject persons to be notified exceeds 500,000; or
- (C) the person or business does not have sufficient contact information.
- (b) Substitute notice must consist of the following:
- (i) an electronic mail notice when the person or business has an electronic mail address for the subject persons; and
- (ii) conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; or
- (iii) notification to applicable local or statewide media.
- (6) Notwithstanding subsection (5), a person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and that does not unreasonably delay notice is considered to be in compliance with the notification requirements of this section if the person or business notifies subject persons in accordance with its policies in the event of a breach of security of the data system.
- (7) If a business discloses a security breach to any individual pursuant to this section and gives a notice to the individual that suggests, indicates, or implies to the individual that the individual may obtain a copy of the file on the individual from a consumer credit reporting agency, the business shall coordinate with the consumer reporting agency as to the timing, content, and distribution of the notice to the individual. The coordination may not unreasonably delay the notice to the affected individuals.
- (8) Any person or business that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the attorney general's consumer protection office, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.
- History: En. Sec. 7, Ch. 518, L. 2005; amd. Sec. 3, Ch. 180, L. 2007; amd. Sec. 3, Ch. 62, L. 2015.
- TITLE 33. INSURANCE AND INSURANCE COMPANIES
- CHAPTER 19. INSURANCE INFORMATION AND PRIVACY PROTECTION
- Part 1. General Provisions
- Definitions
- 33-19-104. Definitions. As used in this chapter, the following definitions apply:
- (1) (a) "Adverse underwriting decision" means any of the following actions with respect to insurance transactions involving insurance coverage that are individually underwritten:
- (i) a declination of insurance coverage;
- (ii) a termination of insurance coverage;
- (iii) failure of an insurance producer to apply for insurance coverage with a specific insurance institution that the insurance producer represents and that is requested by an applicant;
- (iv) in the case of a property or casualty insurance coverage:
- (A) placement by an insurance institution or insurance producer of a risk with a residual market mechanism, an unauthorized insurer, or an insurance institution that specializes in substandard risks; or
- (B) the charging of a higher rate on the basis of information that differs from that which the applicant or policyholder furnished;
- (v) in the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.
- (b) The following actions are not adverse underwriting decisions, but the insurance institution or insurance producer responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence:
- (i) the termination of an individual policy form on a class or statewide basis;
- (ii) a declination of insurance coverage solely because the coverage is not available on a class or statewide basis; or
- (iii) the rescission of a policy.
- (2) "Affiliate" or "affiliated" means a person who directly, or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person.
- (3) "Applicant" means a person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.
- (4) "Consumer report" means any written, oral, or other communication of information bearing on a natural person's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction.
- (5) "Consumer reporting agency" means a person who:
- (a) regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee;
- (b) obtains information primarily from sources other than insurance institutions; and
- (c) furnishes consumer reports to other persons.
- (6) "Control", including the terms "controlled by" or "under common control with", means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.
- (7) "Declination of insurance coverage" means a denial, in whole or in part, by an insurance institution or insurance producer of requested insurance coverage.
- (8) "Individual" means a natural person who:
- (a) regarding property or casualty insurance, is a past, present, or proposed named insured or certificate holder;
- (b) regarding life, health, or disability insurance, is a past, present, or proposed principal insured or certificate holder;
- (c) is a past, present, or proposed policyowner;
- (d) is a past or present applicant;
- (e) is a past or present claimant; or
- (f) derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this chapter.
- (9) "Institutional source" means a person or governmental entity that provides information about an individual to an insurance producer, insurance institution, or insurance-support organization, other than:
- (a) an insurance producer;
- (b) the individual who is the subject of the information; or
- (c) a natural person acting in a personal capacity rather than a business or professional capacity.
- (10) "Insurance function" means claims administration, claims adjustment and management, fraud investigation, fraud prevention, underwriting, loss control, ratemaking functions, reinsurance, risk management, case management, disease management, quality assessment, quality improvement, provider credentialing verification, utilization review, peer review activities, subrogation, grievance procedures, insurance transactions, internal administration of compliance and policyholder service functions, and technical, administrative, or professional services related to the provision of the functions described in this subsection.
- (11) (a) "Insurance institution" means a corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd's insurer, fraternal benefit society, or other person engaged in the business of insurance, including health maintenance organizations, and health service corporations as defined in 33-30-101.
- (b) Insurance institution does not include insurance producers or insurance-support organizations.
- (12) "Insurance producer" means an insurance producer as defined in 33-17-102 and 33-30-311.
- (13) (a) "Insurance-support organization" means a person who assembles or collects information about natural persons for the purpose of providing the information to an insurance institution or insurance producer for insurance transactions, including:
- (i) the furnishing of consumer reports or investigative consumer reports to an insurance institution or insurance producer for use in connection with an insurance transaction; or
- (ii) the collection of personal information from insurance institutions, insurance producers, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity.
- (b) The following persons are not insurance-support organizations for purposes of this chapter: insurance producers, government institutions, medical care institutions, and medical professionals.
- (14) "Insurance transaction" means a transaction involving insurance primarily for personal, family, or household needs, rather than for business or professional needs, that entails:
- (a) the determination of an individual's eligibility for an insurance coverage, benefit, or payment; or
- (b) the servicing of an insurance application, policy, contract, or certificate.
- (15) "Investigative consumer report" means a consumer report or portion of a consumer report containing information about a natural person's character, general reputation, personal characteristics, or mode of living obtained through personal interviews with the person's neighbors, friends, associates, acquaintances, or others who may have knowledge concerning this type of information. Interrogation
- (1) (a) "Adverse underwriting decision" means any of the following actions with respect to insurance transactions involving insurance coverage that are individually underwritten:
- (16) "Licensee" means:
- (a) an insurance institution, insurance producer, or other person who is licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered pursuant to this title; or
- (b) a surplus lines insurer.
- (17) "Medical care institution" means a facility or institution that is licensed to provide health care services to natural persons, including but not limited to health maintenance organizations, home health agencies, hospitals, medical clinics, public health agencies, rehabilitation agencies, and skilled nursing facilities.
- (18) "Medical professional" means a person who is licensed or certified to provide health care services to natural persons, including but not limited to a chiropractor, clinical dietitian, clinical psychologist, dentist, nurse, occupational therapist, optometrist, pharmacist, physical therapist, physician, podiatrist, psychiatric social worker, or speech-language pathologist.
- (19) "Medical record information" means personal information that:
- (a) relates to an individual's physical or mental condition, medical history, medical claims history, or medical treatment; and
- (b) is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian.
- (20) "Person" means a natural person, corporation, association, partnership, or other legal entity.
- (21) "Personal information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. Personal information includes an individual's name and address and medical record information but does not include privileged information. Identification
- (16) "Licensee" means:
- (22) "Policyholder" means a person who:
- (a) in the case of individual property or casualty insurance, is a present named insured;
- (b) in the case of individual life, health, or disability insurance, is a present policyowner; or
- (c) in the case of group insurance that is individually underwritten, is a present group certificate holder.
- (23) "Pretext interview" means an interview during which a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:
- (a) pretends to be someone else;
- (b) pretends to represent a person not in fact being represented;
- (c) misrepresents the true purpose of the interview; or
- (d) refuses to provide identification upon request.
- (24) "Privileged information" means any individually identifiable information that:
- (a) relates to a civil or criminal proceeding involving an individual; and
- (b) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. Information otherwise meeting the requirements of privileged information under this subsection is considered personal information under this chapter if it is disclosed in violation of 33-19-306.
- (25) "Residual market mechanism" means an association, organization, or other entity defined or described in 61-6-144.
- (26) "Separate, written authorization" means an individual's written authorization that is:
- (a) obtained by the recipient of personal or privileged information that has been disclosed to the recipient pursuant to 33-19-306(10), (11), (14), (15), and (17); and
- (b) separate from any written authorization obtained by the disclosing insurance institution, insurance producer, or insurance-support organization.
- (27) "Termination of insurance coverage" or "termination of an insurance policy" means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.
- (28) "Unauthorized insurer" means an insurance institution that has not been granted a certificate of authority by the commissioner to transact the business of insurance in this state. Insecurity
- (22) "Policyholder" means a person who:
- History: En. Sec. 4, Ch. 580, L. 1981; amd. Sec. 1, Ch. 713, L. 1989; amd. Sec. 149, Ch. 42, L. 1997; amd. Sec. 1, Ch. 258, L. 1997; amd. Sec. 1, Ch. 212, L. 1999; amd. Sec. 2, Ch. 341, L. 2001; amd. Sec. 1, Ch. 385, L. 2003.
Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.