Montana Code 33-19-321. Computer security breach
33-19-321. Computer security breach. (1) Any licensee or insurance-support organization that conducts business in Montana and that owns or licenses computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery or notice of the breach of the security of the system to any individual whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The notice must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3), or consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Terms Used In Montana Code 33-19-321
- Discovery: Lawyers' examination, before trial, of facts and documents in possession of the opponents to help the lawyers prepare for trial.
- Individual: means a natural person who:
(a)regarding property or casualty insurance, is a past, present, or proposed named insured or certificate holder;
(b)regarding life, health, or disability insurance, is a past, present, or proposed principal insured or certificate holder;
(c)is a past, present, or proposed policyowner;
(d)is a past or present applicant;
(e)is a past or present claimant; or
(f)derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this chapter. See Montana Code 33-19-104
- Insurance function: means claims administration, claims adjustment and management, fraud investigation, fraud prevention, underwriting, loss control, ratemaking functions, reinsurance, risk management, case management, disease management, quality assessment, quality improvement, provider credentialing verification, utilization review, peer review activities, subrogation, grievance procedures, insurance transactions, internal administration of compliance and policyholder service functions, and technical, administrative, or professional services related to the provision of the functions described in this subsection. See Montana Code 33-19-104
- Insurance-support organization: means a person who assembles or collects information about natural persons for the purpose of providing the information to an insurance institution or insurance producer for insurance transactions, including:
(i)the furnishing of consumer reports or investigative consumer reports to an insurance institution or insurance producer for use in connection with an insurance transaction; or
(ii)the collection of personal information from insurance institutions, insurance producers, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity. See Montana Code 33-19-104
- Licensee: means :
(a)an insurance institution, insurance producer, or other person who is licensed or required to be licensed, authorized or required to be authorized, or registered or required to be registered pursuant to this title; or
(b)a surplus lines insurer. See Montana Code 33-19-104
- Person: means a natural person, corporation, association, partnership, or other legal entity. See Montana Code 33-19-104
- Personal information: means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. See Montana Code 33-19-104
- State: when applied to the different parts of the United States, includes the District of Columbia and the territories. See Montana Code 1-1-201
- United States: includes the District of Columbia and the territories. See Montana Code 1-1-201
(2)Any person to whom personal information is disclosed in order for the person to perform an insurance function pursuant to this part that maintains computerized data that includes personal information shall notify the licensee or insurance-support organization of any breach of the security of the system in which the data is maintained immediately following discovery of the breach of the security of the system if the personal information was or is reasonably believed to have been acquired by an unauthorized person.
(3)The notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and requests a delay of notice. The notice required by this section must be made after the law enforcement agency determines that the notice will not compromise the investigation.
(4)Licensees, insurance-support organizations, and persons to whom personal information is disclosed pursuant to this part shall develop and maintain an information security policy for the safeguarding of personal information and security breach notice procedures that provide expedient notice to individuals as provided in subsection (1).
(5)Any licensee or insurance-support organization that is required to issue a notification pursuant to this section shall simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the commissioner, excluding any information that personally identifies any individual who is entitled to receive notification. If a notification is made to more than one individual, a single copy of the notification must be submitted that indicates the number of individuals in the state who received notification.
(6)For purposes of this section, the following definitions apply:
(a)”Breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a licensee, insurance-support organization, or person to whom information is disclosed pursuant to this part. Acquisition of personal information by a licensee, insurance-support organization, or employee or agent of a person as authorized pursuant to this part is not a breach of the security of the system.
(b)(i) “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and the data elements are not encrypted:
(A)social security number;
(B)driver’s license number, state identification card number, or tribal identification card number;
(C)account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
(D)medical record information;
(E)a taxpayer identification number; or
(F)an identity protection personal identification number issued by the United States internal revenue service.
(ii)Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.