Wyo. Stat. § 40-12-501 et seq.
(Scroll down to Title 40, Chapter 12, Article 5)
Effective July 1, 2007
Senate File Nos. 35 and 36 (signed into law March 2, 2015)
Effective July 1, 2015
Application. An individual or commercial entity (collectively, Entity) that conducts business in WY and that owns or licenses computerized data that includes PI about a resident of WY.
Security Breach Definition. Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of PI maintained by an Entity and causes or is reasonably believed to cause loss or injury to a resident of WY.
- Good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the data system, provided that the PI is not used or subject to further unauthorized disclosure.
Notification Obligation. Any Entity to which the statute applies shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that PI has been or will be misused. If the investigation determines that the misuse of PI about a WY resident has occurred or is reasonably likely to occur, the Entity shall give notice as soon as possible to the affected WY resident.
Third-Party Data Notification. An Entity that maintains computerized data that includes PI on behalf of another Entity shall disclose to the Entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that PI was, or is reasonably believed to have been, acquired by an unauthorized person.
The Entity that maintains the data on behalf of another Entity and Entity on whose behalf the data is maintained may agree which Entity will provide any required notice, provided only a single notice for each breach of the security of the system shall be required. If agreement regarding notification cannot be reached, the Entity who has the direct business relationship with the resident of WY shall provide the required notice.
Timing of Notification. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
Personal Information Definition. The first name or first initial and last name of a person in combination with one or more of the following data elements when the data elements are not redacted:
- Social Security number;
- Driver’s license number;
- Account number, credit card number, or debit card number in combination with any security code, access code, or password that would allow access to a financial account of the person;
- Tribal identification card;
- Federal or state government-issued identification card;
- Shared secrets or security tokens that are known to be used for database authentication;
- A username or email address, in combination with a password or security question and answer that would permit access to an online account;
- A birth or marriage certificate;
- Medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- Health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person, or information related to a person’s application and claims history;
- Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes; or
- An individual taxpayer identification number.
PI does not include information, regardless of its source, contained in any federal, state or local government records or in widely distributed media that are lawfully made available to the general public.
Notice Required. Notice shall be clear and conspicuous and shall include, at a minimum:
- A toll-free number that the individual may use to contact the person collecting the data, or his/her agent, and from which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies;
- The types of personal identifying information that were or are reasonably believed to have been the subject of the breach;
- A general description of the breach incident;
- The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;
- In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports; and
- Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.
Notice may be provided by one of the following methods:
- Written notice; or
- Email notice.
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $10,000 for WY-based Entities, and $250,000 for all other Entities operating but not based in Wyoming; that the affected class of subject persons to be notified exceeds 10,000 for WY-based Entities and 500,000 for all other businesses operating but not based in WY; or the person does not have sufficient contact information. Substitute notice shall consist of all of the following:
- Conspicuous posting of the notice on the website of the person collecting the data, if the person maintains one; and
- Notification to major statewide media. The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual’s personal data is included in the security breach.
Exception: Compliance with Other Laws.
- Certain Financial Institutions. Any financial institution as defined in 15 U.S.C. § 6809 or federal credit union as defined by 12 U.S.C. § 1752 that maintains notification procedures subject to the requirements of 15 U.S.C. § 6801(b)(3) and 12 C.F.R. pt. 364 App. B or pt. 748 App. B, is deemed to be in compliance with the statute if the financial institution notifies affected WY customers in compliance with the requirements of 15 U.S.C. § 6801 through 6809 and 12 C.F.R. pt. 364 App. B or pt. 748 App. B.
- HIPPA. A covered entity or business associate that is subject to and complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the regulations promulgated under that Act, 45 C.F.R. Parts 160 and 164, is deemed to be in compliance if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of HIPAA and 45 C.F.R. Parts 160 and 164.
Other Key Provisions:
- Delay for Law Enforcement. The notification required by the statute may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation.
- Attorney General Enforcement. The state Attorney General may bring an action in law or equity to address any violation of this section and for other relief that may be appropriate to ensure proper compliance with this section, to recover damages, or both.