July is set to start with a bang in Wyoming when two new bills go into effect that significantly amend the state’s data breach notification law.
The bills — S.F. 35 and S.F. 36 — follow recent trends in state law amendments by expanding the definition of personal information and adding to the list of content that must be included in a notification to affected individuals.
Prior to the passage of S.F. 36, the Wyoming Consumer Protection Act considered personal information to be the first name or first initial and last name of a person in combination with a Social Security number, a driver's license number or Wyoming identification card number, an account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person, a tribal identification card, or a federal or state government issued identification card.
Effective July 1st, the definition of personal information is significantly expanded to include:
- Shared secrets or security tokens that are known to be used for data based authentication.
- A username or email address, in combination with a password or security question and answer.
- A birth or marriage certificate.
- Medical information.
- Health insurance information.
- Unique biometric data.
- An individual taxpayer identification number.
In S.F. 35, similar to a change coming up in the state of Washington, we see new requirements for the type of information a notice to affected individuals must contain. Previously, a notification needed to include a toll-free number that an individual could use to contact the person collecting the data, or his agent, and from which the individual could learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.
As of July 1st, those same notifications must include at a minimum:
- The types of personal identifying information that were or are reasonably believed to have been the subject of the breach.
- A general description of the breach incident.
- The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided.
- In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches.
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports.
- Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.
The biggest impact to companies that are regulated by the state’s privacy law is how much broader the circumstances are that will be considered a notifiable breach of security, particularly in regards to medical and health information. With data breaches on the rise, expect to see more changes to privacy regulation as states continue to refine the protection of personal information.
For our RADAR users, note that you’ll see the changes in Wyoming law applied on July 1st — the same day that the amendments go into effect. If you haven’t stopped by the Resources tab lately, you’ll also find a couple of new documents focused on notification obligations: Notifications to affected individuals - state content requirements table (a handy at-a-glance guide) and Notifications to affected individuals - state content and method requirements (a deeper dive into notifications, including permitted delivery methods).