Montana and Wyoming recently amended their data breach statutes to expand the definition of personally identifiable information or PII (partly to address tax fraud issues, which we recently blogged about here), to require notice to state regulators (Montana), and to increase the quality and quantity of information that an entity reporting a breach must disclose to the affected individuals (Wyoming).
Here is what you need to know.
Montana Governor Steve Bullock signed HB 74 into law on February 27, 2015. This bill, which amends the state’s data breach notification statutes, Mont. Code. Ann. § 30-14-1704, Mont. Code Ann. §§ 2-6-501 and 2-6-504, Mont. Code Ann. § 33-19-321, becomes effective on October 1, 2015. It does two significant things:
- expands the definition of personally identifiable information; and
- requires notice of a breach to government officials.
Presently, Montana law defines personal information as an individual’s first name or initial with last name in combination with: a Social Security number, driver’s license number, state ID card, tribal ID card number or account, or credit or debit card number in combination with a code or password that would allow access to that account. The bill expands this definition by adding the following to the latter list: medical record information, a taxpayer identification number, and an identity protection personal identification number issued by the US IRS.
Montana law also presently requires entities covered by the statute to report data breaches to the affected individuals. But the new bill, HB 74, extends the reporting requirement to include the state attorney general’s office of consumer protection or the insurance commissioner (if the reporting entity is an insurer). Such notices must include: an electronic copy of the notification letter that was sent to the affected individuals, the number of individuals affected if more than one, and the date and manner of notification to the affected individuals.
Wyoming Governor Matt Mead signed S.F. 35 and S.F. 36 into law on March 2, 2015. These bills, which amend the state’s data breach notification statute, Wyo. Stat. Ann. § 40-12-502, become effective on July 1, 2015. They do two things:
- broaden the definition of personally identifiable information; and
- increase the information that must be disclosed to individuals affected by a breach.
Currently, Wyoming law defines personal identifying information to include first name or initial with last name in combination with Social Security number, driver’s license number, state identification card number, account, credit or debit card number in combination with any security code, access code or password that would allow access to an individual’s financial account, tribal identification card number, or federal or state government issues identification card. These bills expand this definition by adding the following to the latter list: address, telephone number, thared login secrets or security tokens known to be used for data based authentication, a username or e-mail address in combination with a password or security question and answer, a birth or marriage certificate, medical, biometric or health insurance information, or an individual taxpayer identification number.
Montana law presently requires that an entity providing notice of an incident to affected individuals include a toll-free number that can be used to contact the entity and obtain information about the major credit bureaus. The amendments provide that the notice must be “clear and conspicuous” and also include: the types of PII that were or are reasonably believed to have been the subject of the breach, a general description and approximate date of the incident, the actions taken by the individual or commercial entity to protect against further incidents, advice that the affected individual review account statements and monitoring credit reports, and whether notification was delayed as a result of a law enforcement investigation.