Montana and Wyoming have recently revised their data breach notification laws including their definitions of what constitutes Personally Identifiable Information (PII) subject to breach notification. They have added identifiers that will capture those data breach incidents involving health information and medical account information to address the rise in medical identity theft and fraud. Additionally, Wyoming deleted certain data elements such as place of employment and employee identification numbers, which benefits companies and their human resource departments. Companies storing the data of Wyoming residents now do not have an obligation to report such employee only information incidents.
Montana’s breach notification law will now also include a requirement to notify the Attorney General’s Consumer Protection Office, and get Insurance entities to simultaneously notify the state’s Insurance Commissioner. Wyoming now adds specific content requirements for notices to those individuals affected by a breach. Companies that have PII about Montana and Wyoming residents should note the following changes.
Governor Steve Bullock signed House Bill 74 into law on February 27, 2015. HB 74 will become effective on October 1, 2015 and amends multiple statutes that comprise the state’s data breach notification laws.
Currently, the definition of PII includes an individual’s first name or first initial with last name in combination with one or more of the following data elements, if either the name or data elements are not encrypted: Social Security number, driver’s license number, state identification card number, tribal identification card number, an account number or a credit or debit card number in combination with any security code, access code or password that would permit access to the financial account. Once the new law goes into effect, the definition of PII will be expanded to include medical record information as further defined by the Insurance Information and Privacy Protection Act in the Montana Code Annotated in section 33-19-104. In that section, “Medical Record Information” means personal information that: (a) relates to an individual’s physical or mental condition, medical history, medical claims history, or medical treatment; and (b) is obtained from a medical professional or medical care institution, the individual, or the individual’s spouse, parent, or legal guardian. Also, a taxpayer identification number or an identity protection personal information number issued by the Internal Revenue Service will be considered PII.
Notification to the Montana Attorney General’s Consumer Protection Office will now be mandatory; however insurance entities such as licensees or insurance support organizations must also, simultaneously, provide notification to the Montana Insurance Commissioner.
HB 74, also requires those entities providing notice to either the AG’s Office or the Insurance Commissioner to provide each with an electronic copy of the notification letter sent to individuals. The notice to the regulators must identify the number of affected individuals, if it exceeds more than one person. Finally, the notice must provide a statement describing the date and distribution method of the notice to affected individuals.
Governor Matthew Mead signed two bills, Senate File Numbers 35 and 36, into law on March 2, 2015, which together amend the state’s identity theft and data breach notification laws to broaden the definition of PII and they become effective on July 1, 2015.
Presently, the definition of PII includes an individual’s first name or first initial and last name in combination with any one or more of the following data elements when either the name or data elements are not redacted; Social Security number, driver’s license number or Wyoming identification card number, account number, credit card number or debit card number in combination with any security code or password that would allow access to a financial account of the person, tribal identification card number or a federal or state government issued identification number. Going forward, after July 1, 2015, the definition of PII will be reformed under the Wyoming data breach notification law to include an individual’s first name or first initial or last name in combination with any one or more of the data elements, when the data elements are not redacted: (1) Social Security number, (2) driver’s license number, (3) account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person, (4) tribal identification card, (5) federal or state government issued identification card, (6) shared (login) secrets or security tokens known to be used for data based authentication purposes, (7) a username or email address when combined with a password or security question and answer that would permit access to an online account, (8) a birth or marriage certificate, (9) medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, (10) health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claim’s history, (11) unique biometric data, or (12) an individual taxpayer identification number.
Notification to affected individuals is required to be clear and conspicuous, and at a minimum include the types of PII that were or are reasonably believed to have been the subject of a breach. The notice must include a general description of the breach incident, the approximate date of the breach, if known at the time notice is provided and the actions taken by the reporter to protect the system containing the PII from further breaches, also required is advice directing affected individuals to be on alert and vigilant for identity theft by monitoring credit reports and account statements and whether a law enforcement investigation resulted in a delay of notification, if known at the time of reporting.
The new statute also provides a safe harbor for Covered Entities and Business Associates that provide notification of breaches in compliance with and under the requirements of the Health Insurance Portability and Accountability Act (HIPAA), as under the new statutes such notification will be deemed to be in compliance with the Wyoming state data breach notification law.
Although, Montana and Wyoming may be amending their statutes to provide clarification and guidance to companies that hold the PII of their residents, the effect of adding more differing state requirements is to compound the difficulties of having differing data breach laws in force in 47 states, which increases the burden on a company trying to respond to a data breach and comply with the requirements of the often complained about “Patchwork of State Data Breach Laws.”
While there has recently been renewed efforts in Congress to enact a national data breach response statute, agreement on the content of the national standard appears to be unlikely in the near future, based on recent reports from the media covering the hearings.