by Brad Cave
Wyoming’s new data breach notification law takes effect July 1, meaning employers need to be ready for beefed-up notification requirements.
Wyoming law requires that any entity or person who conducts business in Wyoming and owns or licenses computerized data that include personal identifying information must notify affected consumers of a data breach. Because personal identifying information includes such things as Social Security numbers, addresses, phone numbers, and health insurance and medical information, most employers have data covered by the law.
Under the old law, breach notifications needed to include only a toll-free number consumers could use to contact the business that was collecting their data so it could provide the telephone numbers and addresses of the major credit-reporting agencies. Under the new law, notifications must provide much more information.
As of July 1, the notification must be clear and conspicuous, so there’s no hiding it in a document provided for other purposes. Also, at a minimum, the notification must include:
- The types of personal identifying information that are reasonably believed to have been breached;
- A general description of the breach;
- The approximate date of the breach;
- A general description of the actions taken by the individual or entity to protect the system containing personal identifying information from further breaches;
- Advice to consumers to review account statements and monitor credit reports; and
- Whether notification was delayed because of a law enforcement investigation.
The new law also includes an expanded definition of “personal identifying information” that will trigger notification after a breach.
For more information on Wyoming’s new data breach notification law, see the June issue of Wyoming Employment Law Letter.