The scope of PII and data breach notice just got a lot bigger in Big Wyoming.
Wyoming Governor Matt Mead signed two bills into law on March 2 amending the state’s data breach notification statute. The bills – S.F. 35 and S.F. 36 – broaden the definition of personal identifiable information (“PII”) and mandate covered entities include additional information regarding the breach whenever notice to affected individuals is required.
The amendments, which go into effect July 1, 2015, make significant alterations to Wyoming’s data breach notification statute. For instance, S.F. 35 now mandates that notice be “clear and consistent” and include at minimum:
- A toll-free number for consumers to contact the business;
- The types of PII reasonably believed affected;
- A general description of the breach;
- The approximate date of the breach, if known;
- The business’ general actions taken to guard against further breach;
- Advice directing affected persons to remain vigilant by reviewing account statements and monitoring credit reports; and
- Whether the notification was delayed due to a law enforcement investigation.
Additionally, S.F. 36 enlarges the definition of PII under the statute to comprise data that contains the first name or first initial and last name of a person in combination with one or more of the following elements:
- A Social Security or driver’s license number;
- An account, credit card or debit card number in combination with any required code or password;
- A tribal, or Federal- or state-government issued identification card;
- Shared login secrets or security tokens known to be used for data based authentication;
- A username or email address, in combination with a required password or security question and answer;
- A birth or marriage certificate;
- Medical information (i.e. medical history, mental or physical condition, or medical treatment or diagnosis);
- Health insurance information;
- Unique biometric information; or
- An individual taxpayer identification number.
The swift introduction and passage of Wyoming’s amendments show that data security is a hot –and non-controversial – topic in legislatures across the country, and remains one policy area where Democrats and Republicans are able to bridge their partisan divide.
The governor’s signing of the bills followed the Wyoming legislature’s final approval of the amendments on February 23. The swift introduction and passage of the S.F. 35 and S.F. 36 show that data security is a hot topic in legislatures across the country, and remains one policy area where Democrats and Republicans are able to bridge their partisan divide. Indeed, numerous data breach bills have been introduced at both the national and state levels during the 2015 legislative sessions. This is not surprising, given the high attention that data breaches received in the media over the past year and the fact that data breach notice is not politically controversial.
Yet in expanding the scope of PII, the amendments will increase the frequency that businesses will have to notify consumers of breaches to their information, which in turn will drive up affected businesses’ compliance costs.
It is still relatively early in the legislative calendar, so it is unclear how many more states will follow Wyoming’s lead and alter their data breach statutes. It is also uncertain whether any of the data breach notification bills currently pending in Congress will gain traction and become law. However, it’s a relatively safe bet that data breach bills will continue to attract legislators’ attention for the remainder of 2015’s legislative sessions.