Montana Code Annotated 2023

TITLE 2. GOVERNMENT STRUCTURE AND ADMINISTRATION

CHAPTER 6. PUBLIC RECORDS

Part 15. State Agency Protection of Personal Information

Definitions

2-6-1501. Definitions. As used in this part, the following definitions apply:

(1) "Breach of the security of a data system" or "breach" means the unauthorized acquisition of computerized data that:

(a) materially compromises the security, confidentiality, or integrity of the personal information maintained by a state agency or by a third party on behalf of a state agency; and

(b) causes or is reasonably believed to cause loss or injury to a person.

(2) "Chief information security officer" means an employee at the department of administration designated by the chief information officer who is responsible for protecting the state's information assets and citizens' data by:

(a) advising and overseeing information security strategy and programs for executive branch state agencies without elected officials;

(b) advising and consulting information security strategy and programs for executive branch state agencies with elected officials and the legislative and judicial branches; and

(c) advising information security strategy and programs for city, county, consolidated city-county, and local governments and for school districts, other political subdivisions, or tribal governments.

(3) "Individual" means a human being.

(4) "Person" means an individual, a partnership, a corporation, an association, or a public organization of any character.

(5) (a) "Personal information" means a first name or first initial and last name in combination with any one or more of the following data elements when the name and data elements are not encrypted:

(i) a social security number;

(ii) a driver's license number, an identification card number issued pursuant to 61-12-501, a tribal identification number or enrollment number, or a similar identification number issued by any state, the District of Columbia, the Commonwealth of Puerto Rico, Guam, the Virgin Islands, or American Samoa;

(iii) an account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to a person's financial account;

(iv) medical record information as defined in 33-19-104;

(v) a taxpayer identification number; or

(vi) an identity protection personal identification number issued by the United States internal revenue service.

(b) The term does not include publicly available information from federal, state, local, or tribal government records.

(6) "Redaction" means the alteration of personal information contained within data to make all or a significant part of the data unreadable. The term includes truncation, which means that no more than the last four digits of an identification number are accessible as part of the data.

(7) "Security incident" means an occurrence that:

(a) actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or

(b) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

(8) (a) "State agency" means an agency, authority, board, bureau, college, commission, committee, council, department, hospital, institution, office, university, or other instrumentality of the legislative or executive branch of state government. The term includes an employee of a state agency acting within the course and scope of employment.

(b) The term does not include an entity of the judicial branch.

(9) "Third party" means:

(a) a person with a contractual obligation to perform a function for a state agency; or

(b) a state agency with a contractual or other obligation to perform a function for another state agency.

History: En. Sec. 25, Ch. 348, L. 2015; amd. Sec. 61, Ch. 348, L. 2015; amd. Sec. 2, Ch. 227, L. 2023.