Montana recently passed an amendment to its 10-year-old data breach notification law that will require entities to notify the Montana attorney general of a breach by submitting an electronic copy of the individual breach notification and a statement providing the date and method of distribution of the notification. Additionally, the amendment adds medical record information, taxpayer ID, and “identity protection personal identification number” issued by the IRS to the definition of personal information. The amendments will go into effect on October 1, 2015.
Wyoming also passed two bills amending its data breach notification law to modify its definition of personal information and specify the type of information required in notices to Wyoming residents. Specifically, the following will be added to the definition of “personal information”:
- shared secrets or security tokens that are known to be used for data based authentication;
- a username or email address, in combination with a password or security question and answer that would permit access to an online account;
- a birth or marriage certificate;
- medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history;
- unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes; and
- an individual taxpayer identification number.
Further, one of the Wyoming bills amends the individual notice requirements to include the types of information involved in the breach; a general description of the breach; the approximate date of the breach; the actions taken by the entity to protect the system from further breaches; advice directing individuals to remain vigilant by reviewing accounts/credit reports; and whether notification was delayed by law enforcement. Lastly, the amendment provides that covered entities or business associates that comply with HIPAA will be deemed to be in compliance with the state individual notice requirements. The amendments to the Wyoming breach notice law take effect on July 1, 2015.
TIP: Montana joins a growing list of states – including CA, CT, FL, HI, IN, IA, LA, MA, MD, ME, MO, NC, NH, NJ, NY, PR, SC, VA, and VT – that require notice to state authorities in the event of a breach. Additionally, the amendments in Montana and Wyoming continue the trend of states expanding their definitions of what constitutes “personal information.”