Computer Security Legislation
The bill comes from the Economic Affairs Interim Committee two years ago as part of their identity theft prevention study.
In Montana law, there is a ‘duty to protect’, and that includes “protecting individual privacy and the privacy of information contained within information technology systems.” (MCA 2-17-505(1))
This bill extends private sector requirements to state government.
To put the requirement of security and notification in perspective, remember the computer security breach at D A Davidson about a year ago, when customer information was stolen from a computer database by a hacker. The personal information of tens of thousands of clients was stolen, and the company and its customers worried that the social security numbers and personal information could be used in identity theft.
Now, as bad as it was that a private computer system was accessed and the information stolen, the company realized that there had been a security breach and notified all of its clients so that they could take action to protect themselves if someone did try to use their personal information fraudulently.
House Bill 155 requires state government to develop processes to secure personal information and to notify people if ever that information is compromised or stolen.
Just think of how much personal information is held in any of these entities, and it’s easy to realize that it’s imperative to protect that information.
The notification requirement in the event of a security breach says that people must be notified in a timely fashion and that a third party working on behalf of a state entity must notify the state agency and the people affected.
House Bill 155 is a good government bill, a pro-privacy, anti-identity theft bill.
The Montana Department of Administration worked diligently on this legislation, and I was most proud to sponsor it. The bill passed the House of Representatives unanimously on January 19 (second reading) 97-0 and January 20 (third reading) 98-0.