Wyoming Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Wyoming's data breach notification law applies exclusively to individuals and commercial entities in the private sector. While the state does not impose a fixed notification deadline or require reporting to state agencies, its definition of personal identifying information is surprisingly broad, encompassing categories that many larger states have yet to adopt, including birth and marriage certificates, tribal identification cards, shared security tokens, and health insurance information.

The law is codified at Wyo. Stat. 40-12-501 (definitions) and Wyo. Stat. 40-12-502 (notification requirements). Originally enacted in 2007, the law was significantly amended in 2015 by Senate Files 35 and 36, which expanded the definition of personal identifying information and added specific notice content requirements.

For a broader look at Wyoming's privacy framework, see the parent guide to [Wyoming Data Privacy Laws](/us-laws/data-privacy-laws/wyoming-data-privacy-laws).

Who Must Comply

Wyoming's breach notification law applies to any individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data containing personal identifying information about Wyoming residents.

The law is specifically limited to the private sector. Government agencies are not covered by this statute, making Wyoming one of the few states where public entities have no statutory breach notification obligations under this particular law.

Third-party data custodians are also covered. If a person or entity that maintains computerized data containing personal identifying information on behalf of another entity discovers a breach, it must notify the data owner or licensee in the most expedient time possible. The data owner then bears responsibility for consumer notification.

What Qualifies as Personal Identifying Information

Wyoming's definition of personal identifying information is among the most comprehensive in the country. Under Wyo. Stat. 40-12-501(a)(vii), personal identifying information means a person's first name or first initial and last name combined with one or more of the data elements specified in Wyo. Stat. 6-3-901(b)(iii) through (xiv), when the data elements are not redacted:

• Social Security number
• Driver's license number
• Financial account number, credit card number, or debit card number combined with any security code, access code, or password permitting access to a financial account
• Tribal identification card
• Federal or state government-issued identification card
• Shared secrets or security tokens known to be used for data-based authentication
• Username or email address combined with a password or security question and answer permitting access to an online account
• Birth or marriage certificate
• Medical information, including medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
• Health insurance information, including policy numbers, subscriber IDs, unique insurer identifiers, and claims history
• Unique biometric data generated from measurements or analysis of human body characteristics for authentication purposes
• Individual taxpayer identification number

The inclusion of birth and marriage certificates, tribal IDs, shared authentication secrets, and health insurance claims history distinguishes Wyoming from the majority of states. The 2015 amendments added many of these expanded categories.

Personal identifying information does not include information contained in federal, state, or local government records or widely distributed media that are lawfully made available to the general public.

What Triggers the Notification Requirement

A "security breach" under Wyoming law means the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal identifying information and causes, or is reasonably believed to cause, loss or injury to a Wyoming resident.

The trigger involves a two-part analysis:

1. Material compromise: The unauthorized acquisition must materially compromise the security, confidentiality, or integrity of the data. Minor or inconsequential incidents may not meet this threshold.

2. Loss or injury: The breach must cause, or be reasonably believed to cause, loss or injury to a Wyoming resident.

When an entity becomes aware of a potential breach, it must conduct a good-faith, reasonable, and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that misuse has occurred or is reasonably likely, notification is required.

Good-faith acquisition of personal identifying information by an employee or agent of the entity does not constitute a breach, provided the information is not used or disclosed in an unauthorized manner.

Notification Timeline

Wyoming requires notice "in the most expedient time possible and without unreasonable delay," consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the computerized data system.

There is no specific day count. This open-ended standard allows entities flexibility for investigation but provides less certainty than states with fixed deadlines.

Law enforcement may request a delay in notification if it would impede a criminal investigation or jeopardize homeland security. Notification must proceed once the law enforcement agency determines it will no longer compromise the investigation.

What the Consumer Notice Must Include

The 2015 amendments added specific content requirements for breach notifications. The notice must include, at minimum:

• The types of personal identifying information that were or are reasonably believed to have been the subject of the breach
• A general description of the breach incident
• The approximate date of the breach, if reasonably determinable at the time of notice
• In general terms, the actions taken by the entity to protect the system from further breaches
• Advice directing the person to remain vigilant by reviewing account statements and monitoring credit reports
• Whether notification was delayed as a result of a law enforcement investigation, if reasonably determinable
• Toll-free contact telephone numbers and addresses for the major credit reporting agencies

The notice must be clear and conspicuous. These content requirements are more detailed than many states with open-ended notification standards.

Methods of Notification

Wyoming allows notification through several methods:

• Written notice sent to the most recent address the entity has on file
• Electronic notice if the entity's primary method of communication with the affected person is by electronic means, or consistent with the E-SIGN Act
• Telephonic notice if it is not a prerecorded message and the entity can reasonably verify it is speaking directly with the affected person

Substitute Notice

Wyoming allows substitute notice, but the thresholds differ depending on whether the entity is based in Wyoming:

Wyoming-based entities may use substitute notice if:

• The cost of notice would exceed $10,000
• The affected class exceeds 10,000 persons
• The entity does not have sufficient contact information

Non-Wyoming-based entities may use substitute notice if:

• The cost of notice would exceed $250,000
• The affected class exceeds 500,000 persons
• The entity does not have sufficient contact information

Substitute notice requires email notification (if addresses are available) and conspicuous posting on the entity's website. If the entity does not have a website, substitute notice must include notification to major statewide media.

The lower thresholds for Wyoming-based entities reflect the smaller scale of many in-state businesses.

No Attorney General Notification

Wyoming does not require notification to the Attorney General or any other state agency when a data breach occurs. There is also no requirement to notify consumer reporting agencies, regardless of the number of affected residents.

This makes Wyoming one of the least demanding states in terms of government reporting obligations.

Encryption Safe Harbor

Wyoming provides an encryption safe harbor. The notification requirements apply only when the data was "not encrypted, redacted, or otherwise rendered unreadable." If the compromised data was properly encrypted at the time of the breach, notification is not required.

Exceptions

Under Wyo. Stat. 40-12-505, entities that maintain notification procedures pursuant to federal law or regulation, such as HIPAA or the Gramm-Leach-Bliley Act, are deemed in compliance with Wyoming's notification requirements if they comply with their federal obligations.

Enforcement

The Wyoming Attorney General may bring an action in law or equity to address any violation and for other relief that may be appropriate to ensure compliance, recover damages, or both.

There is no private right of action. Individual consumers cannot sue directly under this statute for notification failures.

The statute does not specify maximum penalty amounts, leaving enforcement remedies to the discretion of the courts. The AG may seek injunctive relief, compliance orders, and damages based on the circumstances of each case.

More Wyoming Laws

• Wyoming Recording Laws
• Wyoming Data Privacy Laws
• Wyoming Recording Laws
• Wyoming Recording Laws
• Wyoming Recording Laws
• Wyoming Data Privacy Laws

Sources and References

This article references Wyoming state statutes. Nothing in this article constitutes legal advice. Consult a licensed attorney in Wyoming for guidance on specific compliance obligations.

• Wyo. Stat. 40-12-501: Definitions
• Wyo. Stat. 40-12-502: Computer Security Breach, Notice to Affected Persons
• Wyo. Stat. 40-12-505: Exceptions
• Wyo. Stat. 6-3-901: Personal Identifying Information Definitions
• Wyoming Attorney General: Privacy
• Wyoming Legislature: SF 35 and SF 36 (2015 Amendments)