Wyoming and Montana have expanded their data breach notification laws. Under Wyoming’s S.F. 36, the definition of personal identifying information (PII) now includes a person’s name in combination with a federal or state government-issued identification card; “shared secrets or security tokens” used for authentication; a username or email address in combination with a password or security question and answer; a birth or marriage certificate; medical or health insurance information; or individual taxpayer identification number. It actually narrows the definition of PII when it comes to financial accounts (including credit and debit card accounts), however, in that such accounts are considered PII only if combined with a security code, access code, or password that would allow access to the financial account. Montana’s new law (H.B. 74) adds medical information, taxpayer identification number, and the “identity protection personal identification number” issued by the Internal Revenue Service, to the definition of personal information. Montana also now requires that anyone that is required to notify affected individuals of a breach must also simultaneously submit an electronic copy of the notification to the state attorney general’s consumer protection office (excluding any information that personally identifies the individuals entitled to notification).