Wyoming Security Breach Law
WY Stat § 40-12-501 - § 40-12-502
SUMMARY:
EFFECTIVE. July 1, 2007
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Wyoming and owns or licenses computerized data that includes Personal Information on a resident; and (2) any person or entity which maintains computerized data that includes Personal Information on a State resident.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that materially compromises the security, integrity or confidentiality of Personal Information maintained by a person or business, which causes or is reasonably likely to cause loss or injury to a resident.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted:
-
Social Security Number.
-
Driver’s license number, Tribal identification card, Federal or State identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
A username or email address in combination with a password or security question and answer.
-
Birth or Marriage certificate.
-
Medical history, mental or physical condition, treatment, or diagnosis.
-
Health insurance information that would include health insurance policy number or subscriber identification number or information related to a person’s application or claim history.
-
Unique biometric data that would include data from measurements or analysis of human body characteristics for authentication purposes.
-
Individual taxpayer identification number.
-
Security tokens or shared secrets that are known to be used for data base authentication.
Personal Information does not include information, regardless of the source, contained in any federal, state, or local government records or in widely distributed media that are lawfully made available to the general public.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent by the owner or licensor to the residents affected if the person or business, after a reasonable and prompt investigation, determines that misuse of Personal Information has occurred, or is reasonably likely to occur.
EXCEPTION. This Section does not apply to the following:
-
Good faith acquisition of Personal Information by an employee or agent of the person or business for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.
-
Any financial institution or Federal credit union that maintains notification procedures as required by 15 U.S.C. 6801(B)(3) and 12 C.F.R. Part 364 Appendix B or Part 748 Appendix B, is considered in compliance with this Section if it notifies the affected residents in accordance with these policies.
-
HIPAA Covered Entity exception. A covered entity or business associate that is subject to and compliance with the HIPAA and the regulations of 45 C.F.R. 160 and 164(a) shall be deemed to be in compliance if they notify affected Wyoming customers or entities in compliance with HIPPA.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business first becomes aware of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, and any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines, in writing, that it will impede a criminal investigation.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic.
-
Substitute notice as provided below.
The notice shall be clear and conspicuous and shall include at a minimum:
-
Toll-free number for the person, business, or their agent providing the notice to be contacted, and from which the toll-free numbers and addresses for the major credit reporting agencies may be obtained.
-
Types of Personal Identifying information that were or are reasonably believed to be subject to the breach.
-
General description of the breach incident.
-
Approximate date of the breach, if possible, to determine at the time notice is provided.
-
Actions taken by individual or entity to protect the system containing the Personal Identifying Information from further breach.
-
Directions for the person to be vigilant by reviewing account statements and monitoring credit reports.
-
Information as to whether notification was delayed due to law enforcement investigation, if possible, to determine at the time the notice is provided.
SUBSTITUTE NOTICE AVAILABLE. If the person or business can demonstrate that the cost of providing notice will exceed $10,000 for Wyoming based persons or businesses or $250,000 for all other businesses, the affected class of persons to be notified exceeds 10,000 for Wyoming based persons or businesses and 500,000 for all other businesses, or the person or business has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Conspicuous posting of the notice on the website of the person or business if one is maintained.
-
Notification to major statewide media (to include a toll-free phone number where an individual can learn if their Personal Information is included in the breach)
NOTICE TO THIRD-PARTIES. Any person or business that maintains computerized data that includes Personal Information that it does not own, shall notify the owner or licensor of a security breach as soon as possible following discovery. The person or business which maintains the data on behalf of another, and the business entity on whose behalf the data is maintained may agree who will provide notice; however, only a single notice for each breach is required. If an agreement cannot be reached, then the party with the direct business relationship with the resident shall provide notice.
CONSEQUENCES FOR FAILING TO NOTIFY. The State Attorney General may bring an action for law and equity for any violations to this Section to ensure compliance and/or recover damages.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. None.
LEGISLATIVE UPDATES.
S.F. 0053 – Signed into law on 3/1/2007, Effective 7/1/2007.
S.F. 0035 – Signed into law on 3/2/2015, Effective 7/1/2015.
S.F. 0036 – Signed into law on 3/2/2015, Effective 7/1/2015.
For more information, see here: https://wyoleg.gov/NXT/gateway.dll?f=templates&fn=default.htm
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.