Montana and Wyoming passed legislation this year that will put rules in place in the coming months to expand the types of data which, if affected by a breach, require companies to notify their customers. Both states have broadened the definition of personal information (PI) within company owned or licensed computerized data, specified how notice should be provided, and will require notification to state agencies.
Montana — which made headlines last year after announcing that a state-owned computer containing about 1.3 million citizens’ personal data had been hacked — will require notification following the theft of information relating to physical or mental conditions, medical history, claims or treatment. Notification is already required for theft of information such as names, Social Security numbers and driver’s license numbers. This means that a name in combination with a medical record, taxpayer identification number, or identity protection personal identification number issued by the IRS is considered PI unless the data is encrypted.
Wyoming’s existing requirements are similar to Montana’s, but its standards will grow to include username, password or online security questions in addition to birth or marriage certificates and medical information. Thankfully, if this information is contained in any government records or widely distributed media that is lawfully made available to the general public, it is exempted from the definition of PI. If this carve out did not exist, companies that experienced a breach of merely names and addresses may have to provide notice.
The new requirements take effect July 1 in Wyoming and Oct. 1 in Montana. All but three states have security breach laws similar to those in Montana and Wyoming — and the rules are anything but uniform. A lot of the variations reflect the different locales’ divergent perspectives on balancing privacy versus business concerns.
As knowledge about data security increases, states with newer laws often are more stringent than states that have had something on the books for a while. California’s rules are considered to be among the toughest in the country – so much so that privacy and consumer groups in that state objected to proposed federal rules earlier this year that they said didn’t do enough. Across the country – and with some exceptions – state laws have been strongest in the Northeast and on the West Coast and less stringent in the South and in more inland western states, according to a 2012 study by data security company Imation Corp.
But there’s been no decisive federal action, creating a hodgepodge of 47 state standards that businesses must deal with. Providing notice is not a cheap endeavor, so the more expansive the PI definition and notice requirements, the greater the expense to a company that has experienced a data breach. The best way to avoid making a chaotic breach even more chaotic is to keep vigilant watch over the evolving state requirements in every state where you do business.