Montana Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business stores personal information belonging to Montana residents, a data breach triggers specific legal obligations under Montana's breach notification statute. Mont. Code Ann. 30-14-1704 through 30-14-1706 sets out who must notify, what triggers the duty, and how quickly you need to act. Montana enacted its original breach notification law in 2005, and the legislature has amended it several times to expand the definition of personal information and tighten notification requirements.

This guide covers the full scope of Montana's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, penalties, exemptions, and how the Montana Consumer Data Privacy Act (MCDPA) interacts with breach obligations.

Who Must Comply With Montana's Breach Notification Law

Montana's law applies to any person or business that conducts business in Montana and owns or licenses computerized data that includes personal information. It also applies to any person or business that maintains computerized data containing personal information that it does not own. This captures both data owners and third-party service providers such as cloud hosting companies or payment processors.

When a third-party data maintainer discovers a breach, it must notify the data owner or licensee "as soon as the discovery is made." The data owner then carries the primary responsibility to notify affected consumers and the Attorney General.

Government Entities

Montana's breach notification law applies to state agencies and local government entities. Government bodies that maintain personal information about Montana residents must follow the same notification requirements as private businesses.

What Qualifies as a Breach

Under Mont. Code 30-14-1702, a "breach of the security of the data system" means the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information.

The key word is "materially." Not every unauthorized access rises to the level of a breach. The entity must assess whether the access created a real risk of harm.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the entity does not constitute a breach, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Encryption Safe Harbor

Montana provides a safe harbor for encrypted data. If the compromised personal information was encrypted and the encryption key was not acquired along with the data, notification is not required. However, if the encryption key was also compromised, the safe harbor does not apply and full notification obligations are triggered.

Personal Information That Triggers Notification

Montana's definition of personal information is broader than many states. Under Mont. Code 30-14-1702, personal information means an individual's first name or first initial and last name combined with any one or more of the following:

• Social Security number
• Driver's license number, state ID card number, or tribal ID number
• Account number or credit or debit card number combined with any required security code, access code, or password that would permit access to the account
• Medical record information
• Health insurance identification number
• Taxpayer identification number

The inclusion of medical records, health insurance IDs, and taxpayer identification numbers makes Montana's definition notably broader than states that only cover financial account data and SSNs.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notification Timeline

Montana requires notification "without unreasonable delay." Unlike states such as Indiana (45 days) or Colorado (30 days), Montana does not impose a specific day count. The standard is flexible but carries real enforcement risk if the Attorney General determines a delay was unreasonable.

When Delay Is Permitted

A delay in notification is reasonable if it is necessary to:

1. Determine the scope of the breach and restore the reasonable integrity of the data system
2. Comply with a request from law enforcement that notification would impede a criminal investigation

When a delay occurs for law enforcement purposes, notification must be made without unreasonable delay after law enforcement determines disclosure no longer compromises the investigation.

Who Must Be Notified

Affected Individuals

Every Montana resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person must be notified.

The notification must include:

• A description of the type of personal information compromised
• Contact information for the entity providing the notice
• Contact information for the three major credit reporting agencies
• Advice directing the individual to remain vigilant by reviewing account statements and monitoring free credit reports

Montana Attorney General

The Montana Attorney General's Consumer Protection Office must be notified of any breach affecting Montana residents. Under Mont. Code 30-14-1704(6), notification to the AG must be made "when the person or business provides notice of the breach."

This is a mandatory requirement for every breach that triggers consumer notification, regardless of the number of affected residents.

Consumer Reporting Agencies

When a breach affects Montana residents, and the entity is also required to notify under federal law or other state laws that trigger CRA notification, the entity should notify the nationwide consumer reporting agencies. Montana's statute does not set a specific numeric threshold for CRA notification like some other states.

How to Provide Notification

Montana permits the following notification methods:

• Written notice sent by mail to the last known address of the individual
• Electronic notice if the entity's primary means of communication with the individual is electronic
• Telephone notification

Substitute Notice

Substitute notice is available when:

• The cost of notification would exceed $250,000
• The affected class exceeds 500,000 individuals
• The entity does not have sufficient contact information

Substitute notice must consist of all three of the following:

1. Email notice to individuals for whom the entity has an email address
2. Conspicuous posting of the notice on the entity's website
3. Notification to major statewide media outlets

Enforcement and Penalties

Montana's breach notification law is enforced by the Attorney General under the Montana Unfair Trade Practices and Consumer Protection Act (Mont. Code 30-14-103). Violations of the breach notification statute constitute unfair or deceptive trade practices.

The Attorney General may seek:

• Injunctive relief to stop ongoing violations
• Civil penalties up to $10,000 per violation under the Unfair Trade Practices Act
• Restitution for affected consumers

There is no private right of action for breach notification violations. Only the Attorney General can bring enforcement actions under this statute.

How the MCDPA Interacts With Breach Notification

The Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, created a comprehensive privacy framework for Montana. However, the MCDPA does not contain its own breach notification requirements. Businesses subject to the MCDPA must still follow Mont. Code 30-14-1704 for breach notification.

The MCDPA does add relevant obligations that affect breach preparedness:

• Data security requirement: Controllers must implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
• Data minimization: Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose.
• Sensitive data consent: Biometric data, precise geolocation, and other sensitive categories require explicit consumer consent before processing.

The MCDPA is enforced separately by the Attorney General, with penalties up to $7,500 per violation and a 60-day right to cure before enforcement action.

More Montana Laws

• Montana Recording Laws
• Montana Recording Laws
• Montana Data Privacy Laws
• Montana Data Privacy Laws
• Montana Sexting Laws
• Montana Recording Laws
• Montana Recording Laws
• Montana Recording Laws

Sources and References

This article draws from the following official Montana government sources:

• Mont. Code Ann. 30-14-1704 (Disclosure of Breach) - Full text of Montana's breach notification statute
• Mont. Code Ann. 30-14-1702 (Definitions) - Definitions of personal information and breach
• Montana Attorney General Consumer Protection - AG consumer protection portal
• Mont. Code Ann. 30-14-103 (Unfair Trade Practices) - Enforcement framework

This article provides general legal information about Montana data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Montana for guidance specific to your situation.