Wyoming Amends Data Breach Statute | Practical Law

Wyoming Amends Data Breach Statute | Practical Law

The Governor of Wyoming has signed two bills into law that amend the state's data breach notification statute. The bills broaden the definition of personally identifiable information (PII) and require covered entities to include additional information when disclosing the breach.

Wyoming Amends Data Breach Statute

Practical Law Legal Update 0-604-1626 (Approx. 4 pages)

Wyoming Amends Data Breach Statute

by Practical Law Intellectual Property & Technology
Published on 11 Mar 2015Wyoming
The Governor of Wyoming has signed two bills into law that amend the state's data breach notification statute. The bills broaden the definition of personally identifiable information (PII) and require covered entities to include additional information when disclosing the breach.
On March 2, 2015, Wyoming Governor Matt Mead signed S.F. 35 and S.F. 36 into law, which collectively amend the state's data breach notification statute, Wyo. Stat. Ann. § 40-12-502, to expand:
  • The definition of personally identifiable information (PII).
  • The content requirements for notices to affected persons.

Definition of PII

The current version of § 40-12-502 defines personal identifying information to include first name or initial plus last name in combination with any of the following elements:
  • Social Security number.
  • Driver's license or Wyoming identification card number.
  • Account, credit or debit card number in combination with any security code, access code or password that would allow access to an individual's financial account.
  • Tribal identification card number.
  • Federal or state government issues identification card.
S.F. 36 amends § 40-12-502 to cross-reference to § 6-3-901 for the definition of PII. Section 6-3-901 in turn broadens the definition to add the following elements:
  • Address.
  • Telephone number.
  • Shared login secrets or security tokens known to be used for data based authentication.
  • A username or e-mail address, in combination with a required password or security question and answer.
  • A birth or marriage certificate.
  • Medical, biometric or health insurance information.
  • An individual taxpayer identification number.
While the amendments significantly expand the definition of PII, the statute retains the requirement for notification that any breach cause, or is reasonably believed to cause, injury or loss to a Wyoming resident.

Notice Contents

The current version of the statute requires only that the notice to affected persons include a toll-free number where they can contact the notifying entity and request information about the major credit reporting agencies. S.F. 35 amends the statute to require "clear and conspicuous" notice and broaden the information that must be disclosed when notifying affected persons of a breach to include:
  • The types of PII that were or are reasonably believed to have been the subject of the breach.
  • A general description of the breach incident.
  • The approximate date of the breach of security, if that information is reasonably possible to determine when notice is provided.
  • The actions taken by the individual or commercial entity to protect the system containing the PII from further breaches.
  • Advice directing the person to remain vigilant by reviewing account statements and monitoring credit reports.
  • Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine when the notice is provided.
Additionally, entities that are subject to and comply with HIPAA regulations are considered to be in compliance with Wyo. Stat. Ann. § 40-12-502.
Both amendments will take effect on July 1, 2015.