Wyoming has updated its data breach notification statute to widen the definition of “personal identifying information” that will trigger notification to individuals. In addition, the amendments prescribe the information to be contained in the notice and provide a safe harbor to entities that provide notice in compliance with and under the requirements of the Health Insurance Portability and Accountability Act. The changes in the law will become effective July 1, 2015.
The amendment expands the definition of personal information to now include an individual’s first name or first initial and last name in combination with any of the following: (1) Social Security number, (2) driver’s license number, (3) account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person, (4) tribal identification card, (5) federal or state government issued identification card, (6) shared (login) secrets or security tokens known to be used for data based authentication purposes, (7) a username or email address when combined with a password or security question and answer that would permit access to an online account, (8) a birth or marriage certificate, (9) medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, (10) health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claim’s history, (11) unique biometric data, or (12) an individual taxpayer identification number.
With the expansion, Wyoming’s statute goes beyond the laws of states like California and Florida, which include health information and emails or username in combination with a password or security question and answer. Most other states only include an individual’s name plus an identifier such as a social security number or financial or payment card account number that could allow access to an individual’s credit or financial accounts in their definition of “personal information.” Wyoming is unique in including data points such as shared login secrets or security tokens and birth or marriage certificates.
The amendment to the law will also now require notices to individuals to include the following elements: (1) the types of personal identifying information subject to the breach, (2) a general description of the breach, (3) the approximate date of the breach, (4) the remedial actions taken by the entity, (5) advice directing the Wyoming resident to remain vigilant, and (6) whether notification was delayed pursuant to a request from law enforcement.