Montana and Wyoming amended their data security breach notifications laws to redefine what constitutes personally identifiable information, altering the types of data that would trigger a notification requirement. Notably, both states now include health and medical record information within the category of personally identifiable information. In addition, Wyoming has removed certain employment data from the definition, including a person's place of employment and employee identification number, and added other types of data, such as login and password information that would permit access to an online account. A separate bill amended Wyoming's law to require companies to provide "clear and conspicuous notice" to individuals affected by a data security breach, including at a minimum a general description of the breach, the approximate date of the breach, actions taken to guard against future breaches, and advice for how to remain vigilant in protecting against identity theft. Lastly, Montana's law now requires companies to notify the state attorney general's Consumer Protection Office in addition to affected individuals, and insurance entities must also notify the state's insurance commissioner. The full text of Montana's law as amended, which becomes effective in October 2015, is available here . The amended provisions of Wyoming's law go into effect in July 2015 and are available here and here .
Connecticut created a new permanent department within the Office of the Attorney General this month titled the Privacy and Data Security Department. Formed to continue the work of an interdisciplinary Privacy Task Force appointed in 2011, the new department will work exclusively on investigations and litigation related to data security and consumer privacy. The announcement from Attorney General George Jepsen is available here .