Companies that electronically store personal information about residents of Montana and Wyoming must now take note of additional notice requirements following data breach incidents. With the ever-increasing number of such occurrences, states such as Montana and Wyoming are striving to clarify what companies must do when the inevitable breach happens.
In Montana and Wyoming, a company’s duty to notify of a data breach is triggered when personally identifiable information (PII) is acquired by an unauthorized individual. It is the definition and scope of PII that leaves those responsible scratching their heads and worriedly looking for answers.
Until recently, PII had been defined in Montana to include a person’s first name or first initial, last name, and one or more additional identifiers such as Social Security number, driver’s license number, financial account information, and so on. Now, Montana HB 74, which goes into effect on October 1, 2015, specifically expands the list of “additional identifiers” that constitute the definition of PII to include:
- Information that relates to an individual's physical or mental condition
- Medical history, medical claims history, or medical treatment information obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian.
In addition to medical record information, a tax identification number is among the listed “additional identifiers” that may be considered PII.
Finally, if notification is required under HB 74, a company must “simultaneously” provide a copy of the notice to the Montana Attorney General’s Consumer Protection Office. In the event that the entity required to provide notice is an insurance company or an “insurance-support organization,” simultaneous notice must be given to the Montana Insurance Commissioner.
Under Wyoming law, the definition of PII similarly includes a person’s first name or first initial, last name, and one or more additional identifiers such as social security number, driver’s license number, certain financial account information, credit card number, and so on. Now, under Senate File 36, which goes into effect on July 1, 2015, the Wyoming legislature has expanded the list of “additional identifiers” to include:
- Username or email address with password or security question and answer
- Birth or marriage certificate
- Medical, biometric or health insurance information
- Individual taxpayer identification number.
In addition to the expanded definition of PII, Wyoming law now requires that notice be “clear and consistent” and include at a minimum:
- A toll-free number to contact the organization
- Types of PII affected
- A general description of the breach
- Approximate date of the breach
- General actions taken to protect against further breaches
- Advice relating to reviewing account statements and monitoring credit reports-
- Whether the notification was delayed due to law enforcement.
Simply comparing the Wyoming and Montana statutes highlights the disparate manner in which states approach data privacy and security. Companies struggle to navigate the different requirements that are triggered when maintaining customer PII from multiple geographic areas. From a practical standpoint, companies may want to consider complying with the most restrictive law, thus by default complying with the least restrictive. Additionally, companies should ensure that their incident response plans reflect the changes in law. As the definition of “personal information” continues to grow, so too does a company’s requirement to take reasonable security measures to protect this information.