Amended Security Breach Law in the State of Wyoming

Wyo. Stat. § 40-12-50 is a data breach notification law that was initially passed in the U.S. state of Wyoming in 2007 and later amended in 2015. In accordance with other data breach notification laws around the country that have been amended in recent years, Wyo. Stat. § 40-12-50 was updated for the purposes of providing residents of the state with an enhanced level of legal protection in instances where data breaches take place, by effectively expanding the categories of personal information that are covered under the law. With this being said, Wyo. Stat. § 40-12-50 places various requirements on businesses within Wyoming as it concerns the handling of data breach incidents.

How is a data breach defined under Wyo. Stat. § 40-12-50?

Under Wyo. Stat. § 40-12-50, a data breach is defined as the “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of PI maintained by an Entity and causes or is reasonably believed to cause loss or injury to a resident of WY.” Conversely the “good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the data system, provided that the PI is not used or subject to further unauthorized disclosure.” Additionally, as it relates to the scope and application of the law, the provisions of Wyo. Stat. § 40-12-50 apply to any “individual or commercial entity (collectively, Entity) that conducts business in WY and that owns or licenses computerized data that includes PI about a resident of WY.”

What are the data breach requirements under Wyo. Stat. § 40-12-50?

Under Wyo. Stat. § 40-12-50, a business entity that experiences a data breach is responsible for providing notice to all affected individuals, in the most expedient manner possible and without unreasonable. Moreover, these notifications must provide residents of Wyoming with the following information:

• A description of the data breach, in general terms.
• A description of the actions or measures that the affected entity has taken to restore the reasonable integrity of the data system that sustained the breach, in general terms.
• The types of personal information that were compromised as a result of the breach.
• The approximate date on which the breach occurred, if such information can be determined.
• Advice concerning the steps that Wyoming residents can take to reduce the risks of being involved in a data breach, such as remaining vigilant, monitoring credit reports, and reviewing financial records and account statements.
• A toll-free number that the individual may use to contact the person collecting the data, or his agent; and from which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.
• Whether the notification has been delayed as a result of a law enforcement investigation, if such information can be determined.

What types of personal information are legally protected under Wyo. Stat. § 40-12-50?

Under the provisions set forth in Wyo. Stat. § 40-12-50, the following types of personal information are legally protected should a data breach take place, in combination with a Wyoming resident’s first name or first initial and last name, permitting these data elements have not been redacted:

• Social security numbers.
• Drivers license numbers.
• Tribal identification cards.
• Financial account numbers and credit and debit card numbers, as well as any associated passwords, security codes, or access codes that could be used to gain entry into an individual’s financial account.
• User names and email addresses, as well as any passwords or security question answers that could be to gain entry into an individual’s online account.
• Birth and marriage certificates.
• Individual taxpayer identification numbers.
• Unique biometric identifiers, such as retina or iris prints and fingerprints.
• Federal and state-issued identification cards.
• Shared secrets or security tokens that are known to be used for data-based authentication.
• Health insurance information, meaning a person’s health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history.
• Medical information, including an individual’s medical history, mental or physical condition, and medical treatment or diagnosis made by a healthcare provider.

What are the penalties for violating Wyo. Stat. § 40-12-50?

In terms of the enforcement of the law, the provisions established in Wyo. Stat. § 40-12-50 are enforceable by the Wyoming attorney general. Subsequently, the Wyoming attorney has the legal authority to impose punishments against individuals, businesses, and organizations within the state that fail to respect the rights of citizens within the state as it pertains to the handling of data breach incidents. Such punishments include monetary fines and civil liability, and the Wyoming attorney general also retains the right to impose further penalties at their own discretion, in accordance with other relevant legislation within the state.

While every data breach notification law within the U.S. will protect some form of personal information in the event that a data breach occurs, the scope of these protections can vary from state to state. While there are many states around the U.S. that cover a wide range of data in instances where a data breach takes place, the level of information that is protected under Wyo. Stat. § 40-12-50 is particularly far-reaching, as everything from birth certificates to biometric identification is covered under the law. To this point, residents of the state can truly rest assured that they will be able to protect themselves and their identities should personal information relating to them become compromised during or as a result of a data breach.