Privacy & Information Security Law Blog

On February 23, 2015, the Wyoming Senate approved a bill (S.F.36) that adds several data elements to the definition of “personal identifying information” in the state’s data breach notification statute. The amended definition will expand Wyoming’s breach notification law to cover certain online account access credentials, unique biometric data, health insurance information, medical information, birth and marriage certificates, certain shared secrets or security tokens used for authentication purposes, and individual taxpayer identification numbers. The Wyoming Senate also agreed with amendments proposed by the Wyoming House of Representatives to another bill (S.F.35) that adds content requirements to the notice that breached entities must send to affected Wyoming residents. Both bills are now headed to the Wyoming Governor Matt Mead for signing.

Bill S.F.36 would broaden the definition of “personal identifying information” to include an individual’s first name or first initial and last name in combination with any one or more of the data elements below:

• Social Security number;
• driver’s license number;
• account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the individual;
• tribal identification card;
• federal or state government issued identification card;
• shared secrets or security tokens that are known to be used for data based authentication;
• username or email address, in combination with a password or security question and answer that would permit access to an online account;
• birth or marriage certificate;
• medical information;
• health insurance information;
• unique biometric data; or
• individual taxpayer identification number.

Bill S.F.35 would impose content requirements on the notice that breached entities must send affected Wyoming residents. Specifically, if enacted, the bill would require the notice to affected Wyoming residents to include (1) the types of personal identifying information subject to the breach, (2) a general description of the breach, (3) the approximate date of the breach, (4) the remedial actions taken by the entity, (5) advice directing the Wyoming resident to remain vigilant, and (6) whether notification was delayed pursuant to a request from law enforcement.

Both bills are headed to the Governor of Wyoming, Matt Mead, for his consideration.

Update: On March 2, 2015, Wyoming Governor Matt Mead signed both bills into law. The bills will become effective on July 1, 2015.