Wyoming recently joined the list of states passing laws that broaden the scope of their data breach notification laws. On March 2, 2015, Wyoming signed into law two bills (S.F. 35 and S.F. 36) that expand the definition of personally identifiable information (PII) and require additional minimum content requirements for notifications to affected individuals. Specifically, S.F. 36 broadens the scope of the definition of PII to include data containing the first name or first initial and last name of a person in combination with one or more of the following new data elements:
- Bank account number or credit or debit card number in combination with any security code that would allow access to a financial account;
- Shared secrets or security tokens that are known to be used for data-based authentication;
- Username or email address in combination with a password or security questions and answer;
- Birth or marriage certificate;
- Medical information, defined as a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
- Health insurance information, defined as a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application, and claims history; and
- Unique biometric data used for authentication purposes.
Wyoming’s expansion of the definition of personal information to include usernames and passwords to online accounts follows a recent trend began by California in 2014. Florida and Puerto Rico have made similar amendments to their respective breach notification laws.
The second bill (S.F. 35) requires that notices to affected individuals “be clear and conspicuous” and include, at a minimum:
- The types of PII reasonably believed affected;
- A general description of the incident;
- The approximate date of the breach;
- The general actions taken by the company to prevent further breaches; and
- Advice directing affected persons to remain vigilant by reviewing account statements and credit monitoring reports.
S.F. 35 also adds that entities subject to, and who comply with, the Health Insurance Portability and Accountability Act are considered to be in compliance with the Wyoming breach notification statute if those entities notify Wyoming residents according to the requirements of the act.
The most significant aspect of Wyoming’s amendments is that companies will be obligated to notify affected individuals in a broader range of circumstances. The amendments to the Wyoming law go into effect July 1, 2015.
Given the increasing frequency of data breaches, state legislators and attorneys general wanting to appear tough on cybercrime are likely to continue pressing, without significant opposition, for more stringent data breach notification laws. Therefore, companies should expect to continue to see expansion of state data breach notification laws in 2015.