Wyoming
|
Click here to review text of state statute (see Stat., Title 40, Chapter 12 §§40-12-501, et seq.) |
Information Covered / Important Definitions
Information covered:
Personal identifying information about a resident of Wyoming.
Definition includes (i) tribal identification card, (ii) federal or state government issued identification card, (iii) shared secrets or security tokens that are known to be used for data based authentication, (iv) username or email address in combination with a password or security question and answer that would permit access to account, (v) a birth or marriage certificate, (vi) medical information, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, (vii) health insurance information, including a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history, (viii) unique biometric data, including data generated from measurements or analysis of human body characteristics for authentication purposes, and (ix) individual taxpayer identification number.
Important definitions:
“Security Breach” means an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of Wyoming.
Covered Entities* / Third Party Recipients
Subject to statute:
Any individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a resident of Wyoming.
Third party recipients:
Any covered entity that maintains computerized data that includes personal identifying information that the covered entity does not own or license must notify the owner or licensee of the information of any security breach as soon as practicable following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal or civil investigation or jeopardize homeland or national security (in which case notification is delayed until authorized by law enforcement).
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $10,000 for Wyoming-based businesses (or $250,000 for out-of-state businesses), affected class exceeds 10,000 persons for Wyoming-based businesses (or 500,000 for out-of-state businesses), or covered entity has insufficient contact information.
- Notice not required if, after a reasonable and prompt investigation, the covered entity determines that there is no reasonable likelihood that personal information has been or will be misused.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is redacted.
Other exemptions:
Financial institutions regulated by certain federal laws described in the statute are exempt.
Any covered entity subject to HIPAA is exempt.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
Penalties
Actions in law or equity permitted to ensure compliance with Wyoming statute and to recover damages.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
|
Click here to review text of state statute (see Stat., Title 40, Chapter 12 §§40-12-501, et seq.) |