The states of Montana and Wyoming recently updated their data breach notification statutes. The revisions include updates to the states’ definitions of personal information subject to breach notification provisions, among other changes. Corporations with personal information of state residents in their possession should take note of the new provisions.
In Montana, House Bill (“H.B.”) 74 was signed into law by Governor Steve Bullock on February 27, 2015, and will go into effect on October 1, 2015. Notably, the legislation expands the state’s definition of “personal information” subject to the breach notification provisions to include medical record information (in combination with a first name or first initial and last name). H.B. 74 further requires data breach notices to be submitted to the Montana Attorney General and, for insurance entities, to the Montana Insurance Commissioner.
In Wyoming, two new data security bills, Senate File (“S.F.”) Numbers 35 and 36, were signed into law by Governor Matthew Mead on March 2, 2015. S.F. 35 relates to the content of data breach notifications and requires that such notices be “clear and conspicuous” and include “[t]he types of personal identifying information that were or are reasonably believed to have been the subject of the breach;” a “general description of the breach incident;” the “approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;” a general description of “the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;” “[a]dvice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports;” and finally, “[w]hether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.”
S.F. 36 comprehensively updates Wyoming’s definition of “personal identifying information” to include a person’s first name or first initial and last name along with one or more of the following data elements: “(iii) Social security number; (iv) Driver’s license number; (v) Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person; (vi) Tribal identification card; (vii) Federal or state government issued identification card; (viii) Shared secrets or security tokens that are known to be used for data based authentication; (ix) A username or email address, in combination with a password or security question and answer that would permit access to an online account; (x) A birth or marriage certificate; (xi) Medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (xii) Health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history; (xiii) Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes; (xiv) An individual taxpayer identification number.”
S.F. 35 and S.F. 36 take effect on July 1, 2015.