68th Legislature SB 50.1
7 "SECURITY INCIDENT"; AND AMENDING SECTIONS 2-6-1501, 2-6-1502, AND 2-6-1503, MCA.”
11 NEW SECTION. Section 1. Immediate notification. On discovery or notification of a security
12 incident, a state agency shall provide immediate notification without unreasonable delay to the chief information
13 security officer.
15 Section 2. Section 2-6-1501, MCA, is amended to read:
16 "2-6-1501. Definitions. As used in this part, the following definitions apply:
17 (1) "Breach of the security of a data system" or "breach" means the unauthorized acquisition of
18 computerized data that:
19 (a) materially compromises the security, confidentiality, or integrity of the personal information
20 maintained by a state agency or by a third party on behalf of a state agency; and
21 (b) causes or is reasonably believed to cause loss or injury to a person.
22 (2) "Chief information security officer" means an employee at the department of administration
23 designated by the chief information officer who is responsible for protecting the state's information assets and
24 citizens' data by:
25 (a) advising and overseeing information security strategy and programs for executive branch state
26 agencies without elected officials; and
27 (b) advising and consulting information security strategy and programs for executive branch state
28 agencies with elected officials and the legislative and judicial branches.
-1- Authorized Print Version – SB 50
68th Legislature SB 50.1
1 (2)(3) "Individual" means a human being.
2 (3)(4) "Person" means an individual, a partnership, a corporation, an association, or a public
3 organization of any character.
4 (4)(5) (a) "Personal information" means a first name or first initial and last name in combination
5 with any one or more of the following data elements when the name and data elements are not encrypted:
6 (i) a social security number;
7 (ii) a driver's license number, an identification card number issued pursuant to 61-12-501, a tribal
8 identification number or enrollment number, or a similar identification number issued by any state, the District of
9 Columbia, the Commonwealth of Puerto Rico, Guam, the Virgin Islands, or American Samoa;
10 (iii) an account number or credit or debit card number in combination with any required security
11 code, access code, or password that would permit access to a person's financial account;
12 (iv) medical record information as defined in 33-19-104;
13 (v) a taxpayer identification number; or
14 (vi) an identity protection personal identification number issued by the United States internal
15 revenue service.
16 (b) The term does not include publicly available information from federal, state, local, or tribal
17 government records.
18 (5)(6) "Redaction" means the alteration of personal information contained within data to make all or a
19 significant part of the data unreadable. The term includes truncation, which means that no more than the last
20 four digits of an identification number are accessible as part of the data.
21 (7) "Security incident" means an occurrence that:
22 (a) actually or potentially jeopardizes the confidentiality, integrity, or availability of an information
23 system or the information the system processes, stores, or transmits; or
24 (b) constitutes a violation or imminent threat of violation of security policies, security procedures, or
25 acceptable use policies.
26 (6)(8) (a) "State agency" means an agency, authority, board, bureau, college, commission,
27 committee, council, department, hospital, institution, office, university, or other instrumentality of the legislative
28 or executive branch of state government. The term includes an employee of a state agency acting within the
-2- Authorized Print Version – SB 50
68th Legislature SB 50.1
1 course and scope of employment.
2 (b) The term does not include an entity of the judicial branch.
3 (7)(9) "Third party" means:
4 (a) a person with a contractual obligation to perform a function for a state agency; or
5 (b) a state agency with a contractual or other obligation to perform a function for another state
6 agency."
8 Section 3. Section 2-6-1502, MCA, is amended to read:
9 "2-6-1502. Protection of personal information -- compliance -- extensions. (1) Each state agency
10 that maintains the personal information of an individual shall develop procedures to protect the personal
11 information while enabling the state agency to use the personal information as necessary for the performance
12 of its duties under federal or state law.
13 (2) The procedures must include measures to:
14 (a) eliminate the unnecessary use of personal information;
15 (b) identify the person or state agency authorized to have access to personal information;
16 (c) restrict access to personal information by unauthorized persons or state agencies;
17 (d) identify circumstances in which redaction of personal information is appropriate;
18 (e) dispose of documents that contain personal information in a manner consistent with other
19 record retention requirements applicable to the state agency;
20 (f) eliminate the unnecessary storage of personal information on portable devices; and
21 (g) protect data containing personal information if that data is on a portable device.
22 (3) Except as provided in subsection (4), each state agency that is created after October 1, 2015,
23 shall complete the requirements of this section within 1 year of its creation.
24 (4) The chief information officer provided for in 2-17-511 may grant an extension to any state
25 agency subject to the provisions of the Montana Information Technology Act provided for in Title 2, chapter 17,
26 part 5. The chief information officer shall inform the information technology board the governor, the office of
27 budget and program planning, and the legislative finance committee of all extensions that are granted and of
28 the rationale for granting the extensions. The chief information officer shall maintain written documentation that
-3- Authorized Print Version – SB 50
68th Legislature SB 50.1
1 identifies the terms and conditions of each extension and the rationale for the extension."
3 Section 4. Section 2-6-1503, MCA, is amended to read:
4 "2-6-1503. Notification of breach of security of data system. (1) (a) Upon discovery or notification
5 of a breach of the security of a data system, a state agency that maintains computerized data containing
6 personal information in the data system shall make reasonable efforts to notify any person whose unencrypted
7 personal information was or is reasonably believed to have been acquired by an unauthorized person.
8 (b) The notification must be made without unreasonable delay, consistent with the legitimate
9 needs of law enforcement as provided in subsection (3) or with any measures necessary to determine the
10 scope of the breach and to restore the reasonable integrity of the data system.
11 (2) (a) A third party that receives personal information from a state agency and maintains that
12 information in a computerized data system to perform a state agency function shall:
13 (i) notify the state agency immediately following discovery of the breach if the personal information
14 is reasonably believed to have been acquired by an unauthorized person; and
15 (ii) make reasonable efforts upon discovery or notification of a breach to notify any person whose
16 unencrypted personal information is reasonably believed to have been acquired by an unauthorized person as
17 part of the breach. This notification must be provided in the same manner as the notification required in
18 subsection (1).
19 (b) A state agency notified of a breach by a third party has no independent duty to provide
20 notification of the breach if the third party has provided notification of the breach in the manner required by
21 subsection (2)(a) but shall provide notification if the third party fails to do so in a reasonable time and may
22 recover from the third party its reasonable costs for providing the notice.
23 (3) The notification required by this section may be delayed if a law enforcement agency
24 determines that the notification will impede a criminal investigation and requests a delay of notification. The
25 notification required by this section must be made after the law enforcement agency determines that the
26 notification will not compromise the investigation.
27 (4) All state agencies and third parties to whom personal information is disclosed by a state
28 agency shall develop and maintain:
-4- Authorized Print Version – SB 50
68th Legislature SB 50.1
1 (a) an information security policy designed to safeguard personal information; and
2 (b) breach notification procedures that provide reasonable notice to individuals as provided in
3 subsections (1) and (2).
4 (5) A state agency or third party that is required to issue a notification to an individual pursuant to
5 this section shall simultaneously submit to the state's chief information security officer at the department of
6 administration and to the attorney general's consumer protection office an electronic copy of the notification and
7 a statement providing the date and method of distribution of the notification. The electronic copy and statement
8 of notification must exclude any information that identifies the person who is entitled to receive notification. If
9 notification is made to more than one person, a single copy of the notification that includes the number of
10 people who were notified must be submitted to the chief information officer and the consumer protection office."
12 NEW SECTION. Section 5. Codification instruction. [Section 1] is intended to be codified as an
13 integral part of Title 2, chapter 6, part 15, and the provisions of Title 2, chapter 6, part 15, apply to [section 1].
14 - END -
-5- Authorized Print Version – SB 50

Statutes affected:
SB0050_1.pdf: 2-6-1501, 2-6-1502, 2-6-1503
SB0050_2.pdf: 2-6-1501, 2-6-1502, 2-6-1503
SB0050_3.pdf: 2-6-1501, 2-6-1502, 2-6-1503
SB0050_X.pdf: 2-6-1501, 2-6-1502, 2-6-1503
Amended: 2-6-1501, 2-6-1502, 2-6-1503
Introduced: 2-6-1501, 2-6-1502, 2-6-1503