top of page

Wyoming Statutes § 40-12-501 et seq

Enacted:  3.1.2007

Type of Data Covered: Computerized or electronic data. 

Is Breach Defined?

“Breach of the security of the data system” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state. Good faith acquisition of personal identifying information by an employee or agent of a person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal identifying information is not used or subject to further unauthorized disclosure."

When is notice required?

Notice is required for any affected resident "in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." Notice may be written, electronic, or via "substitute notice" procedures, depending on the circumstances. The notice has to be clear and conspicuous and include at minimum: 

  • (i)  A toll-free number:

    • (A)  That the individual may use to contact the person collecting the data, or his agent; and

    • (B)  From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.

  • (ii)  The types of personal identifying information that were or are reasonably believed to have been the subject of the breach;

  • (iii)  A general description of the breach incident;

  • (iv)  The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;

  • (v)  In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;

  • (vi)  Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports;

  • (vii)  Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.

What are the penalties for non-compliance?

Violations have their own section of the law, § 40-12-502(f), which reads as follows: 

  • (f)  The attorney general may bring an action in law or equity to address any violation of this section and for other relief that may be appropriate to ensure proper compliance with this section, to recover damages, or both. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.

bottom of page