09 Jun Wyoming Legislative Update
The Wyoming legislature recently amended its consumer protection laws governing personal identifying information and security breach notices. The legislation is effective July 1, 2015.
WYOMING SENATE FILE 36
“Personal identifying information” means the first name or first initial and last name of a person in combination with one or more of the following data elements of an individual person when the data elements are not redacted:
- Telephone number
- Social security number;
- Driver’s license number;
- Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person;
- Tribal identification card;
- Federal or state government issued identification card;
- Shared secrets or security tokens that are known to be used for data based authentication;
- A username or email address, in combination with a password or security question and answer that would permit access to an online account;
- A birth or marriage certificate;
- Medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- Health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history;
- Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes; and
- An individual taxpayer identification number.
Wyoming Senate File 35
The security breach notice for a breach of security of personal identifying information of computerized data must be clear and conspicuous and must include, at a minimum:
- A toll-free telephone number that the individual may use to contact the person collecting the data, or his or her agent and from which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.
- The types of personal identifying information that were or are reasonably believed to have been the subject of the breach;
- A general description of the breach incident;
- The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;
- In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports; and
- Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.