Nevada and Wyoming Expand Breach Notification Laws to Protect Account Credentials

On July 1, 2015, both Nevada and Wyoming’s breach notification law amendments come into force, expanding the definition of Personal Information (“PI”) to include account credentials such as a username or email address. With these amendments, the two states join California and Florida in a small but growing number of states that have overhauled breach notification laws to expand privacy protections for consumers.

Nevada’s breach notification laws will now define PI to include the following account information: ​“a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.” The change to the Nevada law also means that companies may have to ensure that account credentials are encrypted to comply with Nevada’s requirements to safeguard PI.

Under Wyoming’s law, login credentials will now be subsumed under the definition of PI along with several other broad categories of information. Notably, Wyoming’s updated law will include one of the broader definitions of PI and may affect the consumer or employee records or profiles maintained by a business.

These changes will expose industry to added compliance requirements. Companies doing business in these states should take stock of the information they collect and consider whether additional measures should be put in place to ensure compliance with the updated laws. We will continue to monitor updates to breach notification laws and how these changes will affect business compliance going forward.