Data Protection Report - Norton Rose Fulbright

On March 2, 2015, Wyoming signed into law Senate Bills S.F. 35 and S.F. 36, which amend the content requirements for breach notifications in W.S. 40-12-502, and the definition “Personal Identifying Information” in W.S. 40-12-501.  These amendments will take effect on July 1, 2015.

The current version of W.S. 40-12-501 defines Personal Identifying Information as “the first name or first initial and last name of a person in combination with one (1) or more of the following data elements when either the name or the data elements are not redacted: Social security number; Driver’s license number or Wyoming identification card number; Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person; Tribal identification card; or Federal or state government issued identification card.”

S.F. 36 expands this definition to include shared secrets or security tokens that are known to be used for data based authentication; a username or email address, in combination with a password or security question and answer that would permit access to an online account; a birth or marriage certificate; medical information; health insurance information; and unique biometric data.

Currently, W.S. 40-12-502 requires individuals or commercial entities to provide breach notifications to affected Wyoming residents “when it becomes aware of a breach of the security of the system . . . [and determines] that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur.”  The notification is currently required to include only “toll-free numbers . . . [t]hat the individual may use to contact the person collecting the data, or his agent; and [f]rom which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.”

S.F. 35 does not change the threshold for when notification is required, but adds to the content requirements for breach notifications.  After July 1, notifications will be required to include a description of the type of information involved in the breach, a general description of the circumstances of the breach incident, the approximate date of the breach (if reasonably possible to determine), the actions taken to protect the system from further breaches, and advice “direct[ing] the person to remain vigilant by reviewing account statements and monitoring credit reports.”

Wyoming is joining a growing number of states, like Washington and Nevada, that are broadening the protection of their data privacy laws.  The broader definition of Personal Identifying Information, coupled with the additional information that the state will require to be included in breach notifications, could have an impact on businesses that own or license data of Wyoming residents.  The increasing circumstances in which businesses are obligated to provide notice and additional information that must be included in these notifications are likely to result in increased costs for businesses responding to data breaches in Wyoming.