Bill Expands PII Definition, and Adds Government Notice Requirement

The Big Sky Country’s data breach statute is going to see some small changes come October.

On Feb. 27, 2015 Montana Governor Steve Bullock signed H.B. 74 into law, amending the state’s data breach notification statute.  Among its changes, H.B. 74 broadens the definition of personal information (“PI”) and requires entities giving notice to consumers under the statute to also provide a copy to the Montana Attorney General’s office.

The amendments, which go into effect October 1, 2015, are slight changes to the state law rather than major changes. For instance, H.B. 74 expands the present definition of PI to now include medical record information (as defined in Mont. Code Ann. § 33-19-104), taxpayer identification numbers and   issued by the federal Internal Revenue Service.

H.B. 74 further requires entities who give notice under Montana’s data breach statute to also simultaneously submit an electronic copy of the notice along with the number of in-state individuals who were notified to the Montana Attorney General’s Consumer Protection Office.

While States Move Forward, Data Breach Bills Wait on Capitol Hill

Montana’s amendments come on the heels of Wyoming’s recent, and much more extensive, changesto its data breach notification statute. Montana’s modifications are not as earth-shattering as Wyoming’s, but they do add additional wrinkles to an already complex compliance framework, such that businesses that suffer a data breach may have to contend with 47 different state requirements. And Montana and Wyoming are not the only states looking to change their data breach statutes: a flurry of bills proposing changes to local notification requirements have been introduced in state legislatures across the country. And New Mexico, which is one of only three remaining states not to have a data breach law on its books, is currently considering H.B. 217, which would create the state’s first data breach notification requirements. H.B. 217 recently passed New Mexico’s lower house, and is awaiting action by the state Senate.

The action at the state level regarding data breach notification requirements has, so far, not been echoed in Washington, D.C., despite high hopes at the start of the legislative session just two months ago.

The action at the state level on data breach notification requirements has, so far, not been echoed to any great degree in Washington, D.C., despite high hopes at the start of the legislative session just two months ago that a federal data breach notification statute would make significant headway following reports of multiple large-scale data breaches over the past years. A number of data breach bills were introduced both before and after the White House’s cyber push leading up to President Obama’s State of the Union address on January 20. Yet despite the amount of legislation proposed, no data breach bill has passed in either chamber yet.

Most recently, the House Subcommittee on Commerce, Manufacturing and Trade released the discussion draft of the Data Security and Breach Notification Act, and announced that hearings on the draft would commence on March 18th. The Subcommittee’s efforts to tackle data security are encouraging, and may suggest that more data breach bills are being readied for review in one or both chambers. Further, the legislative calendar is still relatively young, so there is hope that the spring thaw in Washington will bring renewed congressional attention to data security issues.

In the meantime, states like Montana are continuing to add more complexity to interpreting and applying the already complex patchwork of data breach statutes across the country.