The state of Wyoming has updated its data breach notification statute to include medical and insurance information in its definition of "personal identifying information."
Data breach notification statutes dictate when companies must notify affected individuals in the event of a lapse in cybersecurity. Every state has different requirements for when a company must inform affected individuals and what information constitutes personal identifying information.
The definition of personal identifying information now includes a first name or first initial and last name in combination with a Social Security number, driver's license number, bank account number, credit card number or debit card number with a security code, access code or password, a tribal ID, federal or state government-issued ID card, share login secrets or security tokens, a username or email address with a password or security question and answer, birth or marriage certificate, medical history, mental or physician condition or diagnosis or treatment by a healthcare professional, health insurance policy number or subscriber ID number, unique biometric data or a tax PIN.
Wyoming's updated statute is now more rigorous than other states such as California or Florida. Most states only include a name plus an ID such as a Social Security number or other financial data, according to Lexology.
The updated breach notification portion also now requires notices to individuals to include types of information subject to the breach, a general description of the breach, the approximate date of the breach, remedial actions taken by the breached entity, advice directing the Wyoming resident to remain vigilant and whether notification was delayed pursuant to a request from law enforcement, according to the report.