Continuing to add to the confusion surrounding provisions in 47 different state breach notification laws, Wyoming amended two laws last month which expand the definition of personal information requiring notification in the event of a breach starting in July of 2015.
Specifically, the definition of personal information was amended to include an individual’s first name or first initial or last name in combination with any one or more of the following data elements, when the data elements are not redacted: (1) Social Security number, (2) driver’s license number, (3) account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person, (4) tribal identification card, (5) federal or state government issued identification card, (6) shared (login) secrets or security tokens known to be used for data based authentication purposes, (7) a username or email address when combined with a password or security question and answer that would permit access to an online account, (8) a birth or marriage certificate, (9) medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, (10) health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claim’s history, (11) unique biometric data, or (12) an individual taxpayer identification number.
This broadened definition will certainly capture additional incidents involving the loss of personal information requiring notification in Wyoming. As we stated about the amendment to the Montana law [insert link here], we anticipate that additional state laws will be passed expanding the definition of personal information consistent with these two laws, so it is important to stay abreast of the amendments nationally in the event a company suffers a data breach. We will continue to report on changes to state breach notification laws as they are amended.