Wyoming

Wyo. Stat. § 40-12-501 et seq.

Effective July 1, 2007

Application. An individual or commercial entity (collectively, Entity) that conducts business in WY and that owns or licenses computerized data that includes PI about a resident of WY.

Security Breach Definition. Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of PI maintained by an Entity and causes or is reasonably believed to cause loss or injury to a resident of WY.

Good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the data system, provided that the PI is not used or subject to further unauthorized disclosure.

Notification Obligation. Any Entity to which the statute applies shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be misused. If the investigation determines that the misuse of PI about a WY resident has occurred or is reasonably likely to occur, the Entity shall give notice as soon as possible to the affected WY resident.

Third-Party Data Notification. An Entity that maintains computerized data that includes PI on behalf of another Entity shall disclose to the Entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that PI was, or is reasonably believed to have been, acquired by an unauthorized person. The Entity that maintains the data on behalf of another Entity and Entity on whose behalf the data is maintained may agree which Entity will provide any required notice, provided only a single notice for each breach of the security of the system shall be required. If agreement regarding notification cannot be reached, the Entity who has the direct business relationship with the resident of WY shall provide the required notice.

Timing of Notification. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

Personal Information Definition. The first name or first initial and last name of a person in combination with one or more of the following data elements when either the name or the data elements are not redacted:

Social Security Number;
Driver license number or WY identification card number;
Account number or credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person;
Tribal identification card; or
Federal or state government-issued identification card.

PI does not include information, regardless of its source, contained in any federal, state or local government records or in widely distributed media that are lawfully made available to the general public.

Notice Required. Notice shall include a toll-free number that the individual may use to contact the person collecting the data, or his agent; and from which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.
Notice may be provided by one of the following methods:

Written notice; or
Electronic mail notice.

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $10,000 for WY-based Entities, and $250,000 for all other Entities operating but not based in Wyoming; that the affected class of subject persons to be notified exceeds 10,000 for WY-based Entities and 500,000 for all other businesses operating but not based in WY; or the person does not have sufficient contact information. Substitute notice shall consist of all of the following:

Conspicuous posting of the notice on the Internet, the World Wide Web or a similar proprietary or common carrier electronic system site of the person collecting the data, if the person maintains a public Internet, World Wide Web or a similar proprietary or common carrier electronic system site; and
Notification to major statewide media. The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual’s personal data is included in the security breach.

Exception: Compliance with Other Laws.

Certain Financial Institutions. Any financial institution as defined in 15 U.S.C. § 6809 or federal credit union as defined by 12 U.S.C. § 1752 that maintains notification procedures subject to the requirements of 15 U.S.C. § 6801(b)(3) and 12 C.F.R. pt. 364 App. B or pt. 748 App. B, is deemed to be in compliance with the statute if the financial institution notifies affected WY customers in compliance with the requirements of 15 U.S.C. § 6801 through 6809 and 12 C.F.R. pt. 364 App. B or pt. 748 App. B.

Other Key Provisions:

Delay for Law Enforcement. The notification required by the statute may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation.
AG Enforcement. The state AG may bring an action in law or equity to address any violation of this section and for other relief that may be appropriate to ensure proper compliance with this section, to recover damages, or both.