Wyoming has approved two Senate bills that update the state’s data privacy laws. Senate Files 35 and 36 expand on the definition of what constitutes a breach of personal information, and what steps organizations must take when a data breach takes place. Missing from the update: a safe harbor clause that would protect organizations if data encryption is used to safeguard the data.
Tokens and Security Questions are PII, Too (According to the Law)
According to trib.com, Senate File 36 amended the definition of “personal identifying information” (PII) to include:
birth or marriage certificates, health and medical insurance information, and “security tokens” like passwords or security questions such as “What is your mother’s maiden name?” if they are linked to an account log-in or similar security procedure.
It’s a somewhat surprising development, not because the loss or theft of such data should be left out of the legal definition for PII, but because it is so specific. The thing I’ve learned about legislators over the past five years is that they hate being too specific about data security definitions because things in the tech world grow old and useless sooner than later. For example, the inclusion of security questions as PII makes sense, but so do all the other security devices, mechanisms, and protocols that will be developed in the future as well. It’s often simpler and more effective to create a catch-all clause to account for these.
Toll-Free Numbers are Not Enough
Also, the approved bills put a further onus on companies to alert people of a data breach. Previously, a company only needed to set up a toll-free number where people could call in to get more information on a data breach. Now,
companies would have to provide information about the types of data that was breached, a description of how the breach happened, when it happened, what actions the company has taken to protect against future breaches and whether notification of the breach was delayed because of a law enforcement investigation.
Related Articles and Sites: