2 States First to Update Data Security Laws for 2015

Montana and Wyoming, wrangling western individualism, passed new data breach notification laws. Here’s what they did:

Wyoming expanded what information triggers a data breach notification to include:

• Username or email address with password or security question and answer
• Birth or marriage certificate
• Medical, biometric or health insurance information
• Individual taxpayer identification number.

Wyoming also expanded what should be included in a notification received by a consumer to include:

• A toll-free number to contact the organization
• Types of PII affected
• A general description of the breach
• Approximate date of the breach
• General actions taken to protect against further breaches
• Advice relating to reviewing account statements and monitoring credit reports-
• Whether the notification was delayed due to law enforcement.

Montana also expanded what type of information triggers a notification, to include:

• Information that relates to an individual’s physical or mental condition
• Medical history, medical claims history, or medical treatment information obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.
• a tax ID number

Montana also broadened which entities receive notification to include:

• A company must “simultaneously” provide a copy of the notice to the Montana Attorney General’s Consumer Protection Office. 
• If the data breach involves insurance information,  simultaneous notice must be given to the Montana Insurance Commissioner.

Wilson Elser via JD Supra