Montana became the latest state to revise its data breach notification law to take into account recent data breaches affecting millions of consumers. In particular, the Montana law was revised to include medical record information (which is not included in most state breach notification laws), a taxpayer identification number and “an identity protection personal identification number issued by the United States internal revenue service” in the definition of “personal information” that requires breach notification. This is no doubt in response to the millions of Americans whose identities have been used to file fraudulent tax returns with the IRS.

It is significant that the Montana law requires notification for the breach of any health information, as this requirement is arguably stricter than the breach notification requirements of the HIPAA Omnibus Rule. This change will be important for health care entities and any other companies that maintain health records. This law applies to all companies, not just health care entities and business associates covered by HIPAA.

The law now also requires state agencies and private entities that suffer a data breach to notify the consumer protection office of the Attorney General’s office, and any licensee or insurance supported organization to notify the commissioner of insurance of the data breach.

This last change is significant for any insurance companies licensed in Montana, because if the company has a data breach involving Montana residents, the law requires that it notify the insurance commissioner, as well as the AG’s office. If you follow breach notification laws, this is an unusual requirement, relevant for breach response preparedness.

All in all, the Montana law closes holes in its data breach law that have been criticized in many other state breach notification laws and addresses suggestions made for a national breach notification law. No doubt other states will follow to strengthen their laws to address the recent massive data breaches of consumers’ personal information.