The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Rapid Response Hotline 877.382.2724

Wyoming

Data Breach Notification Statue

Highlights

Covered Entities: Applies to individual or commercial entities that conduct business in Wyoming and that own or license computerized data that includes personal identifying information about a resident of Wyoming.

Consumer Notification: An entity, when it becomes aware of a breach, shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Wyoming resident.

Regulatory Notification: N/A

Notification Timeline: Consumer notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. No regulatory timeline.

Data Format: Electronic.

Citations: Wyo. Stat. §§ 40-12-501 to 502

More Details

Definitions:

  • Breach: The unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.
  • Personal information (PI):
    • The first name or first initial and last name of a person in combination with one (1) or more of the below data elements when the data elements are not redacted:
      • Social Security number;
      • Driver’s license number;
      • Account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person;
      • Tribal identification card;
      • Federal or state government issued identification card;
      • Shared secrets or security tokens that are known to be used for data-based authentication;
      • A username or email address, in combination with a password or security question and answer that would permit access to an online account;
      • A birth or marriage certificate;
      • Unique biometric data, meaning data generated from measurements or analysis of human body characteristics for authentication purposes;
      • Medical information;
      • Health insurance information;
      • An individual taxpayer identification number.
  • Medical Information: A person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  • Health Insurance Information: A person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person, or information related to a person’s application and claims history.

Safe Harbors:

  • Encryption: Does not apply to personal information that is redacted. “Redact” means alteration or truncation of data such that no more than five (5) digits of the data elements are accessible as part of the personal information.
  • Good Faith: Good faith acquisition of personal identifying information by an employee or agent of a person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal identifying information is not used or subject to further unauthorized disclosure.
  • Risk of Harm: Notification not required if, after a reasonable and prompt investigation, the investigation determines that the misuse of personal identifying information about a Wyoming resident has not occurred or is not reasonably likely to occur.
  • Law Enforcement Delay: Notification required may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation.

Direct Notice:

  • Timing: Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
  • Format: N/A
  • Content: Notice shall be clear and conspicuous and shall include, at a minimum:
    • A toll-free number:
    • That the individual may use to contact the person collecting the data, or his agent; and
    • From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.
    • The types of personal identifying information that were or are reasonably believed to have been the subject of the breach;
    • A general description of the breach;
    • The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;
    • In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;
    • Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports;
    • Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.
  • Method: Notice to consumers may be provided by one (1) of the following methods:
    • Written notice;
    • Electronic mail notice; 
    • Substitute notice, if applicable

Substitute Notice:

Allowed as a means of notification if the entity demonstrates: (A) That the cost of providing notice would exceed ten thousand dollars ($10,000.00) for Wyoming-based persons or businesses, and two hundred fifty thousand dollars ($250,000.00) for all other businesses operating but not based in Wyoming; (B) that the affected class of subject persons to be notified exceeds ten thousand (10,000) for Wyoming-based persons or businesses and five hundred thousand (500,000) for all other businesses operating but not based in Wyoming; or (C) the entity does not have sufficient contact information.

Substitute notice shall consist of all of the following:

  • Conspicuous posting of the notice on the Internet, the World Wide Web or a similar proprietary or common carrier electronic system site of the person collecting the data, if the person maintains a public Internet, the World Wide Web or a similar proprietary or common carrier electronic system site; and
  • Notification to major statewide media. The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual's personal data is included in the security breach.

Remediation Services:

N/A

Regulatory Notice:

N/A

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

Any person who maintains computerized data that includes personal identifying information on behalf of another business entity shall disclose to the business entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person.

The person who maintains the data on behalf of another business entity and the business entity on whose behalf the data is maintained may agree which person or entity will provide any required notice as provided in subsection (a) of this section, provided only a single notice for each breach of the security of the system shall be required.

If agreement regarding notification cannot be reached, the person who has the direct business relationship with the resident of this state shall provide notice subject to the provisions of subsection (a) of this section.

HIPAA:

A covered entity or business associate that is subject to and complies with HIPAA is deemed to be in compliance with this section if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of HIPAA.

Private Action:

The attorney general may bring an action in law or equity to address any violation of this section and for other relief that may be appropriate to ensure proper compliance with this section, to recover damages, or both.

Associated Regulations:

  • W.S. 6-3-901(b)(iii) through (xiv)
Back to Page